We have identified a new Toc-ToU race condition vulnerability in Huawei’s recovery image implementation of SD-card based firmware updates. The vulnerability can be exploited to achieve arbitrary code execution in recovery mode, enabling unauthentic firmware updates, firmware downgrades to a known vulnerable version or other system modifications.
The vulnerability we are disclosing in this advisory affected a wide range of Huawei devices, including phones on the newest chipsets (Kirin 9000). The November 2022 issue of HarmonyOS and EMUI Security Bulletins contains this vulnerability as CVE-2022-44563.
Vulnerability Details The implementation of the “SD-update” mode of the Huawei recovery process, which is a proprietary mode for handling update files located on external media, contains the vulnerability that the update file gets reread between different verification phases.
Summary In this advisory we are disclosing a signature verification bypass vulnerability in the Huawei recovery mode. The vulnerability can be used not only to apply unauthentic firmware updates but also to achieve arbitrary code execution in the recovery mode. Combining this advisory with the vulnerability detailed in CVE-2021-40055, an attacker can achieve remote code execution without user interraction from the position of a network MITM.
The vulnerability was fixed in February 2022.
Vulnerability Details Huawei devices - both those running Android and those running HarmonyOS - implement a proprietary update solution which can be applied in various ways. The methods are all public and differ in how the process is triggered (manually or automatically) and how the update media file to be applied is supplied (downloaded over Wi-Fi or supplied from a memory card).
Summary In this advisory we are disclosing a vulnerability in the Huawei Over-The-Air (OTA) update implementation that allows bypassing SSL protections and execute a Man-In-The-Middle attack. The vulnerability was fixed in March 2022.
Vulnerability Details Huawei devices - both those running Android and those running HarmonyOS - use Huawei’s custom implementation for applying OTA updates.
OTA updates are packaged into a zip container. The update mechanism has several checks that are meant to ensure the authenticity of OTA images before they are applied: the over-the-air download is supposed to happen over a secure connection to prevent Man-In-The-Middle attacks, the zip file has a cryptographic signature that is verified by the update process, and finally the contents of the zip file include further authentications tags.