Details of VAR-201606-0021

ID

VAR-201606-0021

CVE

CVE-2016-4005

TITLE

Android for Huawei Hilink APP Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2016-003223

DESCRIPTION

The Huawei Hilink App application before 3.19.2 for Android does not validate SSL certificates, which allows local users to have unspecified impact via unknown vectors, aka HWPSIRT-2016-03008. Vendors have confirmed this vulnerability HWPSIRT-2016-03008 It is released as.Local users may be affected unspecified. Successfully exploiting this issue allows local attackers to perform man-in-the-middle attacks and bypass certain security restrictions. The following technolgies are affected: WearAPP versions prior to 15.0.0.307 are vulnerable HiLink APP versions prior to 3.19.2 are vulnerable Note: This issue was previously titled 'Huawei Wear APP CVE-2016-3677 SSL Certificate Validation Local Security Bypass Vulnerability'. The title has been changed to better reflect the vulnerability information. Both Huawei WearAPP and HiLink are products of the Chinese company Huawei. The former is a set of APPs used in conjunction with smart wearable devices, and the latter is a unified management platform for Huawei network connection terminals. There are security vulnerabilities in Huawei WearAPP versions earlier than 15.0.0.307 (Android) and HiLink versions earlier than 3.19.2 (Android)

Trust: 1.98

sources: NVD: CVE-2016-4005 // JVNDB: JVNDB-2016-003223 // BID: 86536 // VULHUB: VHN-92824

AFFECTED PRODUCTS

vendor:	huawei	model:	hilink app	scope:	lte	version:	3.19.1	Trust: 1.0
vendor:	huawei	model:	hilink	scope:	lt	version:	3.19.2	Trust: 0.8
vendor:	huawei	model:	hilink app	scope:	eq	version:	3.19.1	Trust: 0.6

sources: JVNDB: JVNDB-2016-003223 // CNNVD: CNNVD-201605-471 // NVD: CVE-2016-4005

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-4005
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2016-4005
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201605-471
value:	HIGH
Trust: 0.6
VULHUB:	VHN-92824
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2016-4005
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-92824
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-4005
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	1.8
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-92824 // JVNDB: JVNDB-2016-003223 // CNNVD: CNNVD-201605-471 // NVD: CVE-2016-4005

PROBLEMTYPE DATA

problemtype:

CWE-310

Trust: 1.9

sources: VULHUB: VHN-92824 // JVNDB: JVNDB-2016-003223 // NVD: CVE-2016-4005

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201605-471

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201605-471

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-003223

PATCH

title:	huawei-sa-2016419-01-wear	url:	http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160419-01-wear-en	Trust: 0.8
title:	Huawei WearAPP and HiLink Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=61785	Trust: 0.6

sources: JVNDB: JVNDB-2016-003223 // CNNVD: CNNVD-201605-471

EXTERNAL IDS

db:	NVD	id:	CVE-2016-4005	Trust: 2.8
db:	BID	id:	86536	Trust: 1.4
db:	JVNDB	id:	JVNDB-2016-003223	Trust: 0.8
db:	CNNVD	id:	CNNVD-201605-471	Trust: 0.7
db:	VULHUB	id:	VHN-92824	Trust: 0.1

sources: VULHUB: VHN-92824 // BID: 86536 // JVNDB: JVNDB-2016-003223 // CNNVD: CNNVD-201605-471 // NVD: CVE-2016-4005

REFERENCES

url:	http://www.securityfocus.com/bid/86536	Trust: 1.1
url:	http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160419-01-wear-en	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-4005	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-4005	Trust: 0.8
url:	http://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20160419-01-wear-cn	Trust: 0.6

sources: VULHUB: VHN-92824 // JVNDB: JVNDB-2016-003223 // CNNVD: CNNVD-201605-471 // NVD: CVE-2016-4005

CREDITS

Akshay Jain

Trust: 0.6

sources: CNNVD: CNNVD-201605-471

SOURCES

db:	VULHUB	id:	VHN-92824
db:	BID	id:	86536
db:	JVNDB	id:	JVNDB-2016-003223
db:	CNNVD	id:	CNNVD-201605-471
db:	NVD	id:	CVE-2016-4005

LAST UPDATE DATE

2025-04-12T23:27:30.560000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-92824	date:	2016-11-28T00:00:00
db:	BID	id:	86536	date:	2016-07-06T14:59:00
db:	JVNDB	id:	JVNDB-2016-003223	date:	2016-06-20T00:00:00
db:	CNNVD	id:	CNNVD-201605-471	date:	2016-06-14T00:00:00
db:	NVD	id:	CVE-2016-4005	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-92824	date:	2016-06-13T00:00:00
db:	BID	id:	86536	date:	2016-04-19T00:00:00
db:	JVNDB	id:	JVNDB-2016-003223	date:	2016-06-20T00:00:00
db:	CNNVD	id:	CNNVD-201605-471	date:	2016-05-19T00:00:00
db:	NVD	id:	CVE-2016-4005	date:	2016-06-13T14:59:06.353