安全预警-涉及华为多个产品的Glibc缓冲区溢出安全漏洞
- 预警编号:Huawei-SA-20150226-01-Glibc
- 初始发布时间: 2015-02-26
- 更新发布时间: 2015-03-13
华为注意到Qualys公司在2015年1月27日公开了一个在GNU C库(glibc)中存在的缓冲区溢出漏洞,调用gethostbyname系列函数的应用程序将受到影响。攻击者可以利用这个漏洞达到远程执行代码的目的。(漏洞编号:HWPSIRT-2015-01045)
此漏洞的CVE编号为:CVE-2015-0235。|
产品名称 |
受影响的版本 |
修复版本 |
|
AR510 |
AR510 V200R005C30 |
AR510 V200R006C10 |
|
AR3200 |
AR3200 V200R005C30 |
AR3200 V200R006C10 |
|
BH620 |
iMana software V2.26 and earlier versions |
Refer to the temporary fix |
|
BH620 V2 |
iMana software V7.05 and earlier versions |
iMana software V7.06 |
|
BH621 V2 |
||
|
BH622 V2 |
||
|
BH640 V2 |
||
|
CH121 |
iMana software V6.05 and earlier versions |
iMana software V6.08 |
|
CH121 V3 |
iBMC software V1.27 and earlier versions |
iBMC software V1.35 |
|
CH140 |
iMana software V6.05 and earlier versions |
iMana software V6.08 |
|
CH220 |
iMana software V6.05 and earlier versions |
iMana software V6.08 |
|
CH221 |
iMana software V6.05 and earlier versions |
iMana software V6.08 |
|
CH222 |
iMana software V6.05 and earlier versions |
iMana software V6.08 |
|
CH222 V3 |
iBMC software V1.28 and earlier versions |
iBMC software V1.35 |
|
CH240 |
iMana software V6.05 and earlier versions |
iMana software V6.08 |
|
CH242 |
iMana software V6.05 and earlier versions |
iMana software V6.08 |
|
CH242 V3 |
iMana software V6.05 and earlier versions |
iMana software V6.08 |
|
CloudEngine 12800 |
CloudEngine 12800 V100R003C00 |
CloudEngine 12800 V100R003HP0006 |
|
CloudEngine 12800 V100R003C10 |
CloudEngine 12800 V100R003HP0006 |
|
|
CloudEngine 5800 |
CloudEngine 5800V100R003C00 |
CloudEngine 5800 V100R003HP0006 |
|
CloudEngine 5800V100R003C10 |
CloudEngine 5800 V100R003HP0006 |
|
|
CloudEngine 6800 |
CloudEngine 6800V100R003C00 |
CloudEngine 6800 V100R003HP0006 |
|
CloudEngine 6800V100R003C10 |
CloudEngine 6800 V100R003HP0006 |
|
|
CloudEngine 7800 |
CloudEngine 7800V100R003C00 |
CloudEngine 7800 V100R003HP0006 |
|
CloudEngine 7800V100R003C10 |
CloudEngine 7800 V100R003HP0006 |
|
|
DC |
V100R002 |
|
|
DH310 V2 |
iMana software V7.05 and earlier versions |
iMana software V7.06 |
|
DH320 V2 |
||
|
DH321 V2 |
||
|
DH620 V2 |
||
|
DH621 V2 |
||
|
DH628 V2 |
||
|
E6000 Chassis |
MM software V5.20 and earlier versions |
MM software V5.21 |
|
E9000 Chassis |
MM software V3.05 and earlier versions |
MM software V3.07 |
|
eSight Network |
V200R005C00 |
|
|
eSpace CAD |
V100R001 |
|
|
eSpace DCM |
V100R001 |
|
|
eSpace EMS |
V200R001C03 |
|
|
eSight UC&C |
V100R001C01 |
|
|
eSpace IVS |
V100R001 |
|
|
eSpace 7910 |
eSpace 7910 V100R001C01 |
eSpace 7910 V200R002C00SPC700B010 |
|
eSpace 7910 V100R001C50 |
eSpace 7910 V200R003C00SPC100B011 |
|
|
eSpace 7910 V200R002C00 |
eSpace 7910 V200R002C00SPC700B010 |
|
|
eSpace 7910 V200R003C00 |
eSpace 7910 V200R003C00SPC100B011 |
|
|
eSpace 7950 |
eSpace 7950 V100R001C01 |
eSpace 7950 V200R002C00SPC700B010 |
|
eSpace 7950 V100R001C02 |
||
|
eSpace 7950 V100R001C30 |
||
|
eSpace 7950 V100R001C50 |
eSpace 7950 V200R003C00SPC100B011 |
|
|
eSpace 7950 V200R002C00 |
eSpace 7950 V200R002C00SPC700B010 |
|
|
eSpace 7950 V200R003C00 |
eSpace 7950 V200R003C00SPC100B011 |
|
|
eSpace CC |
eSpace CC V100R001 |
Suse Patch |
|
eSpace CC V200R001 |
||
|
eSpace IPC |
eSpace IPC V100R001C11 |
eSpace IPC V100R001C21SPC302 |
|
eSpace IPC V100R001C21 |
||
|
eSpace U2980 |
eSpace U2980 V100R001 |
eSpace U2980 V100R001C10SPC105 |
|
eSpace U2990 |
eSpace U2990 V200R001 |
eSpace U2990 V200R001C10SPC105 |
|
eSpace UMS |
eSpace UMS V200R002 |
eSpace UMS V200R002C00SPC100 |
|
eSpace USM |
eSpace USM V100R001 |
eSpace USM V100R001C10SPC105 |
|
FusionAccess |
FusionAccess V100R005C10 |
FusionAccess V100R005C20SPC101 |
|
FusionAccess V100R005C20 |
FusionAccess V100R005C20SPC101 |
|
|
FusionCloud Desktop Solution |
FusionCloud Desktop Solution V100R005C20 |
FusionAccess V100R005C20SPC101 |
|
FusionCompute |
FusionCompute V100R002C02 |
FusionCompute V100R005C00SPC300 |
|
FusionCompute V100R003C00 |
||
|
FusionCompute V100R003C10 |
||
|
FusionCompute V100R005C00 |
||
|
FusionManager |
FusionManager V100R003C00 |
FusionManager V100R003C00SPC308 |
|
FusionManager V100R003C10 |
FusionManager V100R003C10SPC620 |
|
|
FusionManager V100R005C00 |
FusionManager V100R005C00SPC300 |
|
|
FusionManager V100R005C10 |
||
|
FusionStorage DSware |
FusionStorage DSware V100R003C00 |
FusionStorage DSware V100R003C00SPC307 |
|
FusionStorage DSware V100R003C02 |
FusionStorage DSware V100R003C02SPC302 |
|
|
GalaX8800 |
GalaX8800 V100R002C01 |
|
|
IPC6221-VRZ |
IPC6221-VRZ V100R001C00 |
IPC6221-VRZ V100R001C00SPC100B012 |
|
ManageOne |
V100R001C01 |
|
|
NVS |
V100R002 |
|
|
OceanStor Backup Software |
OceanStor Backup Software V100R001C00 |
|
|
OceanStor HDP3500E |
OceanStor HDP3500E V100R002C00 |
OceanStor HDP3500E V100R003C00SPH505 |
|
OceanStor HDP3500E V100R003C00 |
||
|
OceanStor UDS |
OceanStor UDS V100R002C00 |
OceanStor UDS V100R002C01SPC103 |
|
OceanStor UDS V100R002C01 |
||
|
OceanStor VTL6900 |
OceanStor VTL6900 V100R005C00 |
OceanStor VTL6900 V100R005C00SPH601 |
|
OceanStor VTL6900 V100R005C10 |
OceanStor VTL6900 V100R005C10SPC100 |
|
|
OMM Solution |
V100R001 |
|
|
RH1285 |
iMana software V2.28 and earlier versions |
Refer to the temporary fix |
|
RH2285 |
iMana software V2.25 and earlier versions |
Refer to the temporary fix |
|
RH1288 V2 |
iMana software V7.05 and earlier versions |
iMana software V7.06 |
|
RH2265 V2 |
||
|
RH2285 V2 |
||
|
RH2265H V2 |
||
|
RH2285H V2 |
||
|
RH2268 V2 |
||
|
RH2288 V2 |
||
|
RH2288H V2 |
||
|
RH2288E V2 |
||
|
RH2485 V2 |
||
|
RH5885 V2 |
iMana software V5.50 and earlier versions |
iMana software V5.51 |
|
RH5885 V3 |
iMana software V7.05 and earlier versions |
iMana software V7.06 |
|
RH5885H V3 |
iMana software V7.05 and earlier versions |
iMana software V7.06 |
|
RH1288 V3 |
iBMC software V1.28 and earlier versions |
iBMC software V1.35 |
|
RH2288 V3 |
||
|
RH2288H V3 |
||
|
RH1288A V2 |
||
|
RH2288A V2 |
||
|
RH8100 V3 |
||
|
RSE6500 |
RSE6500 V100R001C00 |
RSE6500 V100R001C00SPC300 |
|
SAP HANA Appliance |
SAP HANA Appliance V100R001C00 |
RH5885H V3 V100R003C00SPC106 |
|
Tecal XH310 V2 |
Tecal XH310 V2 V100R001C00SPC100 |
Tecal XH310 V2 V100R001C00SPC300 |
|
Tecal XH311 V2 |
Tecal XH311 V2 V100R001C00 |
Tecal XH311 V2 V100R001C00SPC300 |
|
Tecal XH320 V2 |
Tecal XH320 V2 V100R001C00 |
Tecal XH320 V2 V100R001C00SPC300 |
|
Tecal XH321 V2 |
Tecal XH321 V2 V100R002C00 |
Tecal XH321 V2 V100R002C00SPC300 |
|
Tecal XH621 V2 |
Tecal XH621 V2 V100R001C00 |
Tecal XH621 V2 V100R001C00SPC300 |
|
V1300N |
V100R002 |
|
|
VAE |
V100R001 |
|
|
XH320 |
iMana software V2.05 and earlier versions |
Refer to the temporary fix |
|
XH620 |
iMana software V2.17 and earlier versions |
Refer to the temporary fix |
|
XH310 V2 |
iMana software V7.05 and earlier versions |
iMana software V7.06 |
|
XH311 V2 |
||
|
XH320 V2 |
||
|
XH321 V2 |
||
|
XH621 V2 |
||
|
XH628 V3 |
iBMC software V1.28 and earlier versions |
iBMC software V1.35 |
|
MM810 V3 |
漏洞使用CVSSv2计分系统进行分级(http://www.first.org/cvss/)
基础得分: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
临时得分: 7.3 (E:P/RL:O/RC:C)漏洞存在于glibc库中的一个用于处理DNS请求的函数中,由于在处理主机名参数时未加验证使用 strcpy (hostname, name)从而导致缓冲区溢出。Glibc是GNU发布的libc库,是Linux系统中最底层的API,几乎其它任何运行库都会依赖于Glibc。Redhat、SUSE、Ubuntu等主流Linux都受此漏洞影响。该漏洞可以在本地或者远程触发,成功利用该漏洞可以以当前进程的用户权限执行任意代码,进而控制操作系统主机。
更详细的技术细节请参考:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0235BH620/ RH1285/ RH2285/ XH320/ XH620产品只有WEB服务调用了受影响函数gethostbyname。其它接口未使用gethostbyname,不受漏洞影响。可以关闭WEB服务,规避该漏洞的影响。被关闭的WEB服务所提供的功能可以通过CLI操作。
用户可以通过华为TAC (Huawei Technical Assistance Center)获取补丁/更新版本。
TAC的联系方式见链接: http://www.huawei.com/cn/security/psirt/report-vulnerabilities/index.htm.
对于华为产品和解决方案的安全问题,请通过PSIRT@huawei.com联系华为PSIRT。
对于通用的华为产品和解决方案的问题,直接联系华为TAC(Huawei Technical Assistance Center)获取相关问题的配置或技术协助
2015-03-13 V1.3 UPDATED Update the affected version and fixed version
2015-03-02 V1.2 UPDATED Update the affected version and fixed version
2015-02-28 V1.1 UPDATED Update the affected version and fixed version
2015-02-26 V1.0 INITIAL无
