CVE-2022-44563: Huawei Recovery Update Zip ToC-ToU Vulnerability

We have identified a new Toc-ToU race condition vulnerability in Huawei’s recovery image implementation of SD-card based firmware updates. The vulnerability can be exploited to achieve arbitrary code execution in recovery mode, enabling unauthentic firmware updates, firmware downgrades to a known vulnerable version or other system modifications.
The vulnerability we are disclosing in this advisory affected a wide range of Huawei devices, including phones on the newest chipsets (Kirin 9000). The November 2022 issue of HarmonyOS and EMUI Security Bulletins …

advisory card code code execution cve devices exploited firmware firmware updates huawei mode november phones race condition recovery system update updates version vulnerability vulnerable zip