CVE-2021-22403

Vulnerability

A vulnerability exists in Huawei Smartphone that allows hijacking of unverified providers. Successful exploitation may enable attackers to hijack the device and forge user interfaces to induce users to execute malicious commands. Affected versions include EMUI 10.1.1, EMUI 10.1.0, Magic UI 3.1.1, and Magic UI 3.1.0, as per the vendor's July security bulletin [1].

Exploitation

An attacker can exploit this vulnerability by providing unverified or malicious providers that the affected Huawei Smartphone trusts without proper validation. This requires the attacker to have the ability to install or deliver a malicious application or content that interacts with the vulnerable component. No user interaction beyond normal use may be required, as the hijacking occurs through the forged UI that induces the user to execute commands [1].

Impact

Successful exploitation allows the attacker to hijack the device and present forged user interfaces, potentially tricking the user into executing malicious commands. This could lead to unauthorized actions on the device, including data access, command execution, or further compromise of the device's integrity and confidentiality [1].

Mitigation

Huawei has addressed this vulnerability in the July 2021 security update, which is included in the regular monthly security bulletin for flagship models. Users are advised to update their devices to the latest firmware version to mitigate the risk. No workaround is available [1].