This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy
The HWTACACS modules of some Huawei CloudEngine series switches have vulnerabilities. Attackers can execute the commands that can be used by users with higher-level permissions by bypass the right check of HWTACACS server. (HWPSIRT-2013-1256).
This Vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2014-1688.
Product name |
Version |
CE5800/CE6800/CE12800 |
V100R001C00SPC200 and earlier versions |
CE12800 |
V100R001C01SPC100 and earlier versions |
Attackers can execute the commands that can be used by users with higher-level permissions.
The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/).
Base Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Temporal Score: 7.5 (E:F/RL:O/RC:C)
1. Prerequisite:
The attackers must obtain the user name and password of a user with lower-level permissions and must be reachable to the device with the vulnerability.
2. Attacking procedure:
Attackers log in to the CloudEngine as users with lower-level permissions and execute commands that have higher-level permissions.
Upgrading version and upgrading date:
Product name |
Solved version |
Solved time |
CE5800/CE6800/CE12800 |
V100R002C00SPC200 |
Released |
V100R001SPH001 |
This vulnerability is found by Huawei internal test engineer. The Huawei PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
For security problems about Huawei products and solutions, please contactPSIRT@huawei.com.
For general problems about Huawei products and solutions, please directly contact Huawei TAC (Huawei Technical Assistance Center) to request the configuration or technical assistance.
2014-02-11 V1.1 UPDATED update the information of CVE-ID
2013-12-28 V1.0 INITIAL
None