CVE-2020-9148

Vulnerability

CVE-2020-9148 is a vulnerability in the telephony application component interface of Huawei smartphones running EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, EMUI 9.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, and Magic UI 3.0.0 [1]. The issue is an application bypass mechanism that allows unauthorized deletion of SMS messages.

Exploitation

A local attacker must have the ability to execute code on the device, for example through a malicious application installed by the user. The attacker can exploit the bypass mechanism in the telephony interface to delete SMS messages without proper authorization [1]. No additional privileges or user interaction beyond installation of the malicious app are required.

Impact

Successful exploitation allows the attacker to delete arbitrary SMS messages stored on the device. This compromises the integrity and availability of SMS data, potentially leading to loss of important communications or evidence [1].

Mitigation

Huawei released a security update in January 2021 that addresses this vulnerability. Users should update their devices to the latest EMUI or Magic UI version as provided in the security bulletin [1]. No workarounds are documented.