This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our private policy>

Security Advisory - MITM Vulnerability in the OpenSSL Module of Huawei eSight Network

  • SA No:Huawei-SA-20150919-01-OpenSSL
  • Initial Release Date: 2015-09-19
  • Last Release Date: 2015-09-19

During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed. This vulnerability could allow an attacker to launch man-in-the-middle (MITM) attacks and enable applications to regard invalid certificates as valid. (Vulnerability ID: HWPSIRT-2015-07033)

This Vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2015-1793.

Product Name

Affected Version

Resolved Product and Version

eSight Network

V300R003C10SPC100

V300R003C10SPC201

This vulnerability could allow an attacker to launch MITM attacks and enable applications to regard invalid certificates as valid.

The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/).

Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)

Temporal Score: 5.3 (E:F/RL:O/RC:C)

1. Prerequisite:

The attacker can intercept the communication data between the two communication parties.

2. Attacking procedure:

During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed.

This issue will impact any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.
Customers should contact Huawei TAC (Huawei Technical Assistance Center) to request the upgrades. For TAC contact information, please refer to Huawei worldwide website at http://www.huawei.com/en/security/psirt/report-vulnerabilities/index.htm.


This vulnerability was reported by OpenSSL. Huawei PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.

For security problems about Huawei products and solutions, please contactPSIRT@huawei.com.

For general problems about Huawei products and solutions, please directly contact Huawei TAC (Huawei Technical Assistance Center) to request the configuration or technical assistance.


2015-09-19 V1.0 INITIAL
This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.


Complete information for providing feedback on security vulnerability of Huawei products, getting support for Huawei security incident response services, and obtaining Huawei security vulnerability information, is available on Huawei's worldwide website at http://www.huawei.com/en/security/psirt/.