Security Advisory-Multiple Vulnerabilities on Huawei Tecal
- SA No:Huawei-SA-20141224-01-Tecal
- Initial Release Date: 2014-12-24
- Last Release Date: 2015-02-26
1.Some Huawei server products have the sensitive information leak vulnerability. Users who log in to the products can view the sessions IDs of all online users on the Online Users page of the web UI. Attackers can also view the session IDs of users and access the system with forged identities (vulnerability ID: HWPSIRT-2014-11109).
This vulnerability has been assigned a CVE ID: CVE-2014-9691.
2.Some Huawei server products have the insufficiently random RMCP+ session ID vulnerability. The products can use only few limited RMCP+ session IDs. Attackers can figure out the RMCP+ session IDs of users and access the system with forged identities (vulnerability ID: HWPSIRT-2014-11113).
This vulnerability has been assigned a CVE ID: CVE-2014-9692.
3.Some Huawei server products have the cache overflow vulnerability. When processing some packets from the DNS server, the products do not identify the data length. Attackers can exploit the vulnerability to execute arbitrary code or restart the system (vulnerability ID: HWPSIRT-2014-11114).
This vulnerability has been assigned a CVE ID: CVE-2014-9693.
4.Some Huawei server products have the CSRF vulnerability. The products do not use the Token mechanism for web access control. When users log in to the Huawei servers and access websites containing the malicious CSRF script, the CSRF script is executed, which may cause configuration tampering and system restart (HWPSIRT-2014-11115).
This vulnerability has been assigned a CVE ID: CVE-2014-9694.
|
Product name |
Affected Version |
Resolved Product and Version |
|
Tecal RH1288 V2 |
V100R002C00SPC107 and earlier versions |
V100R002C00SPC116 |
|
Tecal RH2265 V2 |
V100R002C00 |
Upgrade to RH2285 V2 V100R002C00SPC116 |
|
Tecal RH2285 V2 |
V100R002C00SPC115 and earlier versions |
V100R002C00SPC116 |
|
Tecal RH2265 V2 |
V100R002C00 |
Upgrade to RH2285H V2 V100R002C00SPC112 |
|
Tecal RH2285H V2 |
V100R002C00SPC111 and earlier versions |
V100R002C00SPC112 |
|
Tecal RH2268 V2 |
V100R002C00 |
Upgrade to RH2288 V2 V100R002C00SPC118 |
|
Tecal RH2288 V2 |
V100R002C00SPC117 and earlier versions |
V100R002C00SPC118 |
|
Tecal RH2288H V2 |
V100R002C00SPC115 and earlier versions |
V100R002C00SPC116 |
|
Tecal RH2485 V2 |
V100R002C00SPC502 and earlier versions |
V100R002C00SPC503 |
|
Tecal RH5885 V2 |
V100R001C02SPC109 and earlier versions |
V100R001C02SPC110 |
|
Tecal RH5885 V3 |
V100R003C01SPC102 and earlier versions |
V100R003C01SPC103 |
|
Tecal RH5885H V3 |
V100R003C00SPC102 and earlier versions |
V100R003C00SPC103 |
|
Tecal XH310 V2 |
V100R001C00SPC110 and earlier versions |
V100R001C00SPC111 |
|
Tecal XH311 V2 |
V100R001C00SPC110 and earlier versions |
V100R001C00SPC111 |
|
Tecal XH320 V2 |
V100R001C00SPC110 and earlier versions |
V100R001C00SPC111 |
|
Tecal XH621 V2 |
V100R001C00SPC106 and earlier versions |
V100R001C00SPC107 |
|
Tecal DH310 V2 |
V100R001C00SPC110 and earlier versions |
V100R001C00SPC111 |
|
Tecal DH320 V2 |
V100R001C00SPC106 and earlier versions |
V100R001C00SPC107 |
|
Tecal DH620 V2 |
V100R001C00SPC106 and earlier versions |
V100R001C00SPC107 |
|
Tecal DH621 V2 |
V100R001C00SPC107 and earlier versions |
V100R001C00SPC107 |
|
Tecal DH628 V2 |
V100R001C00SPC107 and earlier versions |
V100R001C00SPC107 |
|
Tecal BH620 V2 |
V100R002C00SPC107 and earlier versions |
V100R002C00SPC107 |
|
Tecal BH621 V2 |
V100R002C00SPC106 and earlier versions |
V100R002C00SPC107 |
|
Tecal BH622 V2 |
V100R002C00SPC110 and earlier versions |
V100R002C00SPC111 |
|
Tecal BH640 V2 |
V100R002C00SPC108 and earlier versions |
V100R002C00SPC109 |
|
Tecal CH121 |
V100R001C00SPC180 and earlier versions |
V100R001C00SPC200 |
|
Tecal CH140 |
V100R001C00SPC110 and earlier versions |
V100R001C00SPC130 |
|
Tecal CH220 |
V100R001C00SPC180 and earlier versions |
V100R001C00SPC200 |
|
Tecal CH221 |
V100R001C00SPC180 and earlier versions |
V100R001C00SPC200 |
|
Tecal CH222 |
V100R002C00SPC180 and earlier versions |
V100R002C00SPC200 |
|
Tecal CH240 |
V100R001C00SPC180 and earlier versions |
V100R001C00SPC200 |
|
Tecal CH242 |
V100R001C00SPC180 and earlier versions |
V100R001C00SPC200 |
|
Tecal CH242 V3 |
V100R001C00SPC110 and earlier versions |
V100R001C00SPC130 |
HWPSIRT-2014-11109:
Attackers can exploit the vulnerability to access the system with forged identities.
HWPSIRT-2014-11113:
Attackers can exploit the vulnerability to access the system with forged identities.
HWPSIRT-2014-11114:
Attackers can exploit the vulnerability to execute arbitrary code or restart the system.
HWPSIRT-2014-11115:
Attackers can exploit the vulnerability to tamper with the server configuration or restart the system.
The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/).
HWPSIRT-2014-11109:
Base Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
Temporal Score: 3.3 (E:F/RL:O/RC:C)
HWPSIRT-2014-11113:
Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Temporal Score: 4.1 (E:F/RL:O/RC:C)
HWPSIRT-2014-11114:
Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Temporal Score: 6.2 (E:F/RL:O/RC:C)
HWPSIRT-2014-11115:
Base Score: 8.5 (AV:N/AC:L/Au:N/C:N/I:P/A:C)
Temporal Score: 7.0 (E:F/RL:O/RC:C)
1.Prerequisites:
Attackers can access the web UI of the server.
2.Attacking procedure:
Attackers log in to the web UI, view the session IDs of users on the Online Users page, and use the session IDs to impersonate the users to access the system.
HWPSIRT-2014-11113:
1.Prerequisites:
Attackers can access the web UI of the server.
2.Attacking procedure:
Attackers figure out the session IDs of users and use the session IDs to impersonate the users to access the system.
HWPSIRT-2014-11114:
1.Prerequisites:
Attackers can impersonate the victim DNS server.
2.Attacking procedure:
When the server initiates a DNS request, attackers reply to the request with a specific DNS packet.
HWPSIRT-2014-11115:
1.Prerequisites:
Attackers construct websites containing a malicious script, and the websites are accessible to servers that are affected by the vulnerability.
2.Attacking procedure:
Attackers construct websites containing a malicious script and then trick users into logging in to the server to access the website.
This vulnerability was found firstly by Huawei internal tester. Huawei PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
For security problems about Huawei products and solutions, please contactPSIRT@huawei.com.
For general problems about Huawei products and solutions, please directly contact Huawei TAC (Huawei Technical Assistance Center) to request the configuration or technical assistance.
2015-02-26 V1.2 UPDATED update the affected version
2015-02-15 V1.1 UPDATED update the affected version
2014-12-24 V1.0 INITIAL
None
