CVE-2020-9089

Vulnerability

An information vulnerability exists in Huawei smartphones where a function in a module can be called without verifying the caller's access. This affects HUAWEI P30 Pro devices running versions earlier than 10.1.0.120(C431E19R2P5), 10.1.0.120(C432E19R2P5), and 10.1.0.126(C10E11R5P1) (and other regional variants) [1]. The flaw is present in the software prior to the fixed releases listed in the advisory.

Exploitation

An attacker with user access to the device can exploit this vulnerability by invoking the vulnerable function without proper authorization checks. No additional privileges or user interaction beyond standard user access are required [1]. The exact sequence of steps is not detailed in the available references, but the attack vector is local (user-level access).

Impact

Successful exploitation leads to information disclosure, allowing the attacker to obtain sensitive data that should be protected. The vulnerability results in an information leak, potentially exposing personal or system-level information [1]. The scope is limited to the confidentiality of data accessible via the vulnerable function.

Mitigation

Huawei has released software updates to fix this vulnerability. Users should upgrade their HUAWEI P30 Pro devices to the resolved versions: 10.1.0.120(C431E19R2P5), 10.1.0.120(C432E19R2P5), 10.1.0.126(C10E11R5P1), or later as appropriate for their region [1]. The advisory was published on 2020-08-26, and no workarounds are mentioned. The vulnerability is not listed on the CISA KEV as of the publication date.