CVE-2023-46759 – CVE-2023-46759 is a permission control vulnerab... (How to Fix)

Q: What is the severity of CVE-2023-46759?

CVE-2023-46759 has a CVSS score of 7.5 (HIGH). CVE-2023-46759 is a permission control vulnerability in Huawei's call module that allows unauthorized access to sensitive information. Successful exploitation could compromise service confidentiality by allowing attackers to bypass intended permission restrictions. This affects Huawei devices running HarmonyOS with vulnerable call module versions.

📋 TL;DR

CVE-2023-46759 is a permission control vulnerability in Huawei's call module that allows unauthorized access to sensitive information. Successful exploitation could compromise service confidentiality by allowing attackers to bypass intended permission restrictions. This affects Huawei devices running HarmonyOS with vulnerable call module versions.

💻 Affected Systems

Products:

Huawei smartphones and devices with HarmonyOS

Versions: Specific HarmonyOS versions as detailed in Huawei security bulletins (November 2023)

Operating Systems: HarmonyOS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices with the vulnerable call module version; exact device models and versions specified in Huawei advisories.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of call-related sensitive data including call logs, contact information, and potentially call recordings, leading to privacy violations and data exfiltration.

🟠

Likely Case

Unauthorized access to call metadata and limited sensitive information, potentially enabling targeted attacks or information gathering.

🟢

If Mitigated

Minimal impact with proper access controls and network segmentation limiting exposure of vulnerable components.

🌐 Internet-Facing: MEDIUM - While the vulnerability affects call functionality, exploitation typically requires some level of access to the device or network.

🏢 Internal Only: MEDIUM - Internal attackers or compromised devices could exploit this to escalate privileges or access sensitive call data.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires understanding of HarmonyOS permission mechanisms and likely some level of device access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: HarmonyOS security updates released in November 2023

Vendor Advisory: https://consumer.huawei.com/en/support/bulletin/2023/11/

Restart Required: Yes

Instructions:

1. Check for system updates in device Settings > System & updates > Software update. 2. Download and install available security updates. 3. Restart device after installation completes.

🔧 Temporary Workarounds

Disable unnecessary call permissions

all

Review and restrict call-related app permissions to minimum required functionality

Network segmentation

all

Isolate affected devices from sensitive networks and implement strict network access controls

🧯 If You Can't Patch

Implement strict access controls and monitor for unusual call module activity
Isolate affected devices from networks containing sensitive information

🔍 How to Verify

Check if Vulnerable:

Check device HarmonyOS version in Settings > About phone > HarmonyOS version and compare with Huawei security bulletins

Check Version:

Settings > About phone > HarmonyOS version

Verify Fix Applied:

Verify HarmonyOS version after update and ensure November 2023 security patches are installed

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to call module APIs
Permission denial logs for call-related operations
Unusual call module activity patterns

Network Indicators:

Unexpected network traffic from call-related services
Attempts to access call data from unauthorized sources

SIEM Query:

source="device_logs" AND (module="call" OR permission="android.permission.CALL_PHONE") AND (action="denied" OR result="failure")

📊 Metadata

CVE ID: CVE-2023-46759

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-284

Published: November 8, 2023

Last Updated: November 21, 2024

🔗 References

https://consumer.huawei.com/en/support/bulletin/2023/11/ Vendor Advisory
https://device.harmonyos.com/en/docs/security/update/security-bulletins-202311-0000001729189597 Vendor Advisory
https://consumer.huawei.com/en/support/bulletin/2023/11/ Vendor Advisory
https://device.harmonyos.com/en/docs/security/update/security-bulletins-202311-0000001729189597 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46759, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Emui by Huawei

Emui by Huawei

Emui by Huawei

Emui by Huawei

Harmonyos by Huawei

Harmonyos by Huawei

Harmonyos by Huawei

Harmonyos by Huawei

Harmonyos by Huawei

Harmonyos by Huawei

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable unnecessary call permissions

Network segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities