Login Sign Up

CVE-2024-45442

5.1 MEDIUM

📋 TL;DR

This vulnerability allows attackers to bypass permission verification in Huawei's DownloadProviderMain module APIs, potentially disrupting download services. It affects Huawei devices running vulnerable software versions. The impact is primarily on service availability.

💻 Affected Systems

Products:
  • Huawei smartphones and tablets
Versions: Specific versions not detailed in advisory; check Huawei security bulletin for affected EMUI/HarmonyOS versions
Operating Systems: EMUI, HarmonyOS
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the DownloadProviderMain module which handles download management services.

📦 What is this software?

Emui by Huawei

View all CVEs affecting Emui →

Emui by Huawei

View all CVEs affecting Emui →

Harmonyos by Huawei

View all CVEs affecting Harmonyos →

Harmonyos by Huawei

View all CVEs affecting Harmonyos →

Harmonyos by Huawei

View all CVEs affecting Harmonyos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete disruption of download services, preventing software updates and app installations on affected devices.

🟠

Likely Case

Temporary service degradation or denial of download functionality for specific applications.

🟢

If Mitigated

Minimal impact with proper network segmentation and API access controls in place.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires API access to the DownloadProviderMain module; likely requires some level of device access or malicious app installation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Huawei security bulletin for specific patched versions

Vendor Advisory: https://consumer.huawei.com/en/support/bulletin/2024/9/

Restart Required: Yes

Instructions:

1. Check Huawei security bulletin for affected device models. 2. Install latest security update via Settings > System & updates > Software update. 3. Restart device after update completes.

🔧 Temporary Workarounds

Disable unnecessary download services

all

Restrict background download services for non-essential applications

Application permission review

all

Audit and restrict app permissions related to download management

🧯 If You Can't Patch

  • Segment network to restrict API access to DownloadProviderMain services
  • Implement application allowlisting to prevent unauthorized apps from accessing download APIs

🔍 How to Verify

Check if Vulnerable:

Check device software version in Settings > About phone > Software information and compare with Huawei security bulletin

Check Version:

Not applicable for mobile devices; use device settings menu

Verify Fix Applied:

Verify security patch level in Settings > Security > Security update and ensure it includes September 2024 or later patches

📡 Detection & Monitoring

Log Indicators:

  • Unusual download service failures
  • Multiple permission denial errors in system logs
  • Unexpected API calls to DownloadProviderMain

Network Indicators:

  • Abnormal download traffic patterns
  • Unexpected connections to download servers

SIEM Query:

Not applicable for typical mobile device environments

📊 Metadata

CVE ID: CVE-2024-45442
CVSS v3 Score: 5.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
CWE: CWE-264
Published: September 4, 2024
Last Updated: September 13, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45442, you might also want to check these:

CVE-2021-36879 9.8

This vulnerability allows unauthenticated attackers to escalate privileges in WordPress sites using ...

Same vulnerability type (CWE-264)
CVE-2022-36246 9.8

Shop Beat Media Player versions 2.5.95 through 3.2.57 have insecure permissions that allow unauthori...

Same vulnerability type (CWE-264)
CVE-2022-33198 9.8

This vulnerability allows unauthenticated attackers to modify WordPress options through the Accordio...

Same vulnerability type (CWE-264)