Advisories

Information Disclosure via AEE extension to debuggerd

Product Huawei Y6 Pro Dualsim
Severity Medium
CVE Reference N/A
Type Information Disclosure

Description

Huawei is a company that provides networking and telecommunications equipment.
The AEE (Android Exception Enhancement) extension in the debuggerd daemon leaks sensitive information such as screenshots, the address space of any process, kernel and system logs, and other information about the current state of the system. A malicious Android application, or any other user on the device, could abuse this to disclose sensitive data or develop further attacks against the device itself.

Impact

Exploitation of this issue could allow any user to disclose sensitive information, which can then be used to develop further attacks or to steal confidential data such as screenshots or application logs.

Cause

Lack of privilege validation on the @com.mtk.aee.aed and @com.mtk.aee.aed_64 unix sockets.

Solution

This vulnerability was resolved by Huawei in version TIT-L01C576B120. More information can be found on the Huawei web page: http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170804-01-smartphone-en 

Technical details

 Please refer to the attached advisory.

Disclosure Timeline

Date

Summary

2017-04-05

Issue reported to Huawei.

2017-08-04

Huawei confirmed this issue was fixed in version TIT-L01C576B120.