CVE-2022-39000 The iAware module has a vulnerability in managing malicious apps that will start automatically on system startup.

This can be especially dangerous for business users who have remote access to their systems, or for users who install unverified apps.

If you are running a version of iAware prior to 2.0.0.119, you are vulnerable to this security issue. You can verify if you are running an affected version by running the following command in your iAware console: iware version If the version of iAware shown is lower than 2.0.0.119, you are vulnerable to this issue. Note that you must run iAware on version 2.0.0.119 or greater to be protected from this issue.

Description of CVE-2022 -39000

The iAware software is vulnerable to a remote code execution vulnerability. If exploited, this issue could allow an attacker to execute arbitrary code on the system and potentially gain control of the system. The impact of exploitation depends on the privileges of the user running iAware.

Mitigation Strategies

If you are running an affected version of iAware, you should install the latest version of iAware. If you cannot update to the latest version, you should ensure that your system is not accessible via the internet or from remote devices. You should also disable any third party applications that grant access to your iAware console. Finally, if it is absolutely necessary for your business to allow external access to your iAware console, you should not use a shared network connection when accessing your systems locally.

Mitigating these steps will protect your organization against this security issue.

iAware 2.0.0 to 2.0.0.119

Starting with iAware 2.0.0, a new version is released every 6 months. Sometimes the release cycle may not be as regular due to scheduled updates or testing (e.g. 2.2). You can check the release history on the project's website to view available releases and download them as needed.

iAware 2.0 is a significant update that includes a number of security enhancements, including this CVE-2022-39000 vulnerability mentioned above as well as other changes that reflect our commitment to protecting users from such vulnerabilities in the future.

What is iAware? iAware is a remote monitoring tool that provides insight into your system's performance. It can be used to check logs, use it as a remote control, and run scheduled tasks.

Summary:
iAware is a remote monitoring tool that provides insight into your system's performance. If you are running an affected version of iAware, you will be vulnerable to this security issue.

Timeline

Published on: 09/16/2022 18:15:00 UTC
Last modified on: 09/20/2022 19:07:00 UTC

References

• https://device.harmonyos.com/en/docs/security/update/security-bulletins-phones-202209-0000001392278845
• https://consumer.huawei.com/en/support/bulletin/2022/9/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39000