This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy

Corporate Worldwide
Corporate
Corporate news and information
Consumer
Phones, laptops, tablets, wearables & other devices
Enterprise
Enterprise products, solutions & services
Carrier
Products, solutions & services for carrier networks
Huawei Cloud
Cloud products, solutions & services

Select a Country or Region

Security Advisory - OpenSSL DROWN Security Vulnerability

  • SA No:huawei-sa-20160330-01-openssl
  • Initial Release Date: Mar 30, 2016
  • Last Release Date: Jan 10, 2022

OpenSSL official website released a security advisory about a high risk vulnerability dubbed DROWN (CVE-2016-0800) on March 1st, 2016.

The vulnerability is: Once SSLv2 is used, an attacker can capture packets or act as a man in the middle (MIMT) to obtain SSL session keys, decrypt encrypted traffic, and obtain users' sensitive information. (Vulnerability ID: HWPSIRT-2016-03007)

This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2016-0800.

Part of Huawei products have released software updates to fix this vulnerability. This advisory is available at the following link: 

http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160330-01-openssl-en

Product Name

Affected Version

Resolved Product and Version

Agile Controller-Campus

V100R001C00

Upgrade to V100R002C00SPC105

V100R002C00

V100R002C00SPC105

BH620 V2

V100R002C00

V100R002C00SPC200

BH621 V2

V100R002C00

V100R002C00SPC200

BH622 V2

V100R002C00

V100R002C00SPC300

BH640 V2

V100R002C00

V100R002C00SPC300

Campus Controller

V100R001C00B001

Agile Controller-Campus V100R002C00SPC105

CH121

V100R001C00

V100R001C00SPC260

CH140

V100R001C00

V100R001C00SPC260

CH220

V100R001C00

V100R001C00SPC260

CH221

V100R001C00

V100R001C00SPC260

CH222

V100R002C00

V100R001C00SPC260

CH240

V100R001C00

V100R001C00SPC260

CH242

V100R001C00

V100R001C00SPC260

CSS

CSS V100R001C00

OceanStor 9000 V100R001C30SPC200

E9000 Chassis

V100R001C00

V100R001C00SPC290

eSight Network   

V300R003C10

Upgrade to V300R003C20SPC105

V300R003C20

V300R003C20SPC105

eSight UC&C

eSight UC&C V100R001C01

eSight Network V300R003C20SPC105

eSight UC&C V100R001C20

FusionManager

V100R003C10

Upgrade to V100R005C10SPC700

FusionStorage DSware

V100R003C30

V100R003C30SPC200

FusionStorage

V100R003C00SPC300

V100R003C00SPC308

V100R003C02SPC300

V100R003C02SPC306

HiSTBAndroid

V600R001C00SPC060

Upgrade to V600R002SPC030

HUAWEI Tecal E6000

HUAWEI Tecal E6000 V100R001C01

E6000 Chassis V100R001C00SPC500

OceanStor 9000

V100R001C01

Upgrade to V100R001C30SPC200

V100R001C30

V100R001C30SPC200

OceanStor 9000E

OceanStor 9000E V100R001C01

OceanStor 9000 V100R001C30SPC200

OceanStor 9000E V100R001C05

OceanStor 9000E V100R002C00

OceanStor 9000E V100R002C01

OceanStor 9000E V100R002C02

OceanStor N8500

V200R001C10

Upgrade to V200R002C00SPC102

V200R002C00

V200R002C00SPC102

Policy Center

Policy Center V100R003C00

Agile Controller-Campus V100R002C00SPC105

Policy Center V100R003C10

Public Cloud Solution

Public Cloud Solution V100R001C00

Public Cloud Solution 0-DT 1.0.0

RH1288 V2

V100R002C00

V100R002C00SPC602

RH2285 V2

V100R002C00

V100R002C00SPC300

RH2285H V2

V100R002C00

V100R002C00SPC500

RH2288 V2

V100R002C00

V100R002C00SPC500

RH2288E V2

V100R002C00

V100R002C00SPC200

RH2288H V2

V100R002C00

V100R002C00SPC602

RH2485 V2

V100R002C00

V100R002C00SPC601

RH5885 V2

V100R001C00

Upgrade to V100R001C02SPC302

V100R001C01

V100R001C02

V100R001C02SPC302

RH5885 V3

V100R003C00

Upgrade to V100R003C01SPC111

RH5885H V3

V100R003C00

V100R003C00SPC113

X6000

X6000 V100R002C00

XH320 V2 V100R001C00SPC200

UPS2000

V100R001C10SPC500

Upgrade to V100R021C92SPC050

V100R001C10SPC600

SMU(02S)

V500R001C60

Upgrade to SMU V500R003C00SPC031

V500R001C50

V500R002C00

V500R002C10

V500R002C20

V500R002C30

SMU(02B)

V300R002C10

Upgrade to SMU V500R002C20SPC961

V300R002C20

V300R003C00

V300R003C10

V300R003C91

V300R003C93

V500R001C00

V500R001C10

V500R001C20

SMU(02C)

V500R001C60

Upgrade to SMU V500R003C00SPC031

V500R001C20

V500R001C30

V500R001C50

V500R002C00

V500R002C10

V500R002C20

V500R002C30

V500R002C50
ECC500 
 ECC500 V600R001C00
 ECC500 V600R001C03SPC102
ECC500 V600R001C03
 ACC
 ACC V100R002C00SPC100 
 ACC V100R002C00SPC710
ACC V100R002C00SPC200
ACC V100R002C00SPC300
ACC V100R002C00SPC400
ACC V100R002C00SPC500
ACC V100R002C00SPC600 
ACC V200R001C00SPC100
ACC V200R001C00SPC200
ACC V200R001C00SPC300
ACC V200R001C10SPC100
 ACC V200R001C30SPC290
ACC V200R001C11SPC100
 ACC V200R001C11SPC300


Successful exploitation this vulnerability, attacker can obtain sensitive information.

The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/).

Base Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Temporal Score: 3.6(E:F/RL:O/RC:C)

1. Prerequisite:

The device uses OpenSSL, enables SSLv2, and uses RSA key exchange cipher suites.

2. Attacking procedure:

Once SSLv2 is used, an attacker can capture packets or act as a man in the middle (MIMT) to obtain SSL session keys, decrypt encrypted traffic, and obtain users' sensitive information.

For additional details, customers are advised to reference the website: 

https://www.openssl.org/blog/blog/2016/03/01/an-openssl-users-guide-to-drown/.
None


Customers should contact Huawei TAC (Huawei Technical Assistance Center) to request the upgrades. For TAC contact information, please refer to Huawei worldwide website at http://www.huawei.com/en/psirt/report-vulnerabilities.

This vulnerability was disclosed by OpenSSL official website.

2022-01-10 V1.4 UPDATE Update the affected product list and fixed version
2020-12-30 V1.3 UPDATE Update the affected product list and fixed version

2016-05-18 V1.2 UPDATE Update the affected product list and fixed version
2016-04-28 V1.1 UPDATE Update the affected product list and fixed version
2016-03-30 V1.0 INITIAL

None

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.
online services
mask

Online Services

consumer

Consumer Products

Gobal Service Hotline
Local Website
cloud

Huawei Cloud

Sales: +852-800-931-122

Chatbot
enterprise

Enterprise

Global Service Hotline
Pricing/Info
carrier network

Carrier Network

Global Service Hotline
All Contacts