CVE-2020-9158

Vulnerability

CVE-2020-9158 is a missing cryptographic step vulnerability in the Samgr component of Huawei Smartphones. The vulnerability affects devices running EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, EMUI 9.1.1, EMUI 9.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0, Magic UI 2.1.1, EMUI 8.2, and EMUI 8.0 [1]. The issue arises from a cryptographic step being improperly implemented, which allows an attacker to interfere with the normal operation of the service.

Exploitation

An attacker can exploit this vulnerability without requiring authentication or physical proximity, as the Samgr component is exposed to network interactions. The missing cryptographic step enables the attacker to send crafted inputs that disrupt the Samgr function, leading to its failure. Specific conditions or configuration requirements are not disclosed, but the vulnerability is reachable remotely.

Impact

Successful exploitation of this vulnerability results in a denial of service (DoS) condition on the Samgr component. This causes the Huawei Share application to experience exceptions, effectively disrupting file sharing and other related functionalities on the affected device [1]. The impact is limited to service availability, with no indication of data compromise or privilege escalation.

Mitigation

Huawei has addressed this vulnerability in security updates released as part of the January 2021 security bulletin [1]. Users should update their devices to the latest firmware versions for their respective EMUI or Magic UI builds. There is no known public exploit code, and the vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. No workarounds have been provided; applying the official patch is the recommended mitigation.