CVE-2021-40046

Vulnerability

PCManager version 11.1.1.95 contains a privilege escalation vulnerability (Vulnerability ID: HWPSIRT-2021-49498) that allows an attacker to access resources beyond their granted privileges. The vulnerability requires the attacker to send a crafted message to the system [1]. The affected product is Huawei PCManager versions 11.1.1.95, with the resolved version being 12.0.1.20 (SP1) [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted message to the system [1]. The attack does not require authentication but relies on the ability to deliver the crafted input to the PCManager service. The exact message structure and delivery method are not detailed in the references.

Impact

Successful exploitation allows the attacker to access certain resources that are beyond their normal privilege level [1]. This could lead to unauthorized information disclosure or unauthorized modification of system resources, depending on the nature of the protected resource. The vulnerability is classified as a privilege escalation issue [1].

Mitigation

Huawei has released a software update to fix this vulnerability. The resolved version for PCManager is 12.0.1.20 (SP1) [1]. Users should update to this version or later to mitigate the risk. No workarounds have been provided. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the advisory date [1].