This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy

Security Notice-Bash Code Injection Vulnerability

  • Initial Release Date: Sep 25, 2014
  • Last Release Date: Nov 04, 2014

Huawei was notified of Bash code injection vulnerability via specially crafted environment variables which released by NVD (CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186 and CVE-2014-7187) on 09/24/ 2014. Huawei immediately launched a thorough investigation.

The investigation has been completed partially and it is confirmed that some Huawei products are affected.

Huawei has released a security advisory (SA) and fixed versions. Customers can ask for support from local Huawei technical support services if necessary. The links is:

http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-377648.htm

The following Huawei products Confirmed Vulnerable:

Product Name

Affected Version

Agile Controller-Campus

Agile Controller-Campus V100R001

BSC6000

BSC6000 V900R008C01/C15
BSC6000 V901R013C00

E6000 Blade Server

BH620 V2 V100R002C00
BH621 V2 V100R001C00
BH622 V2 V100R001C00
BH640 V2 V100R001C00

E6000 Chassis

E6000 Chassis V100R001C00

E9000 Blade Server

CH121 V100R001C00
CH140 V100R001C00
CH220 V100R001C00
CH221 V100R001C00
CH222 V100R002C00
CH240 V100R001C00
CH242 V100R001C00
CH242 V3 V100R001C00

E9000 Chassis

E9000 Chassis V100R001C00

eSpace CAD

eSpace CAD V100R001

eLog

eLog V100R003
eLog V200R003

eSight Network

eSight Network V200R003C01/C10

eSight UC&C

eSight UC&C V100R001C01/C20

eSpace CC

eSpace CC V100R001
eSpace CC V200R001

eSpace DCM

eSpace DCM V100R002

eSpace IVS

eSpace IVS V100R001

eSpace Meeting

eSpace Meeting V100R001

eSpace U2980

eSpace U2980 V100R001

eSpace U2990

eSpace U2990 V200R001

eSpace UC

eSpace UC V100R001/R002
eSpace UC V200R001/R002

eSpace UMS

eSpace UMS V200R002

eSpace USM

eSpace USM V100R001

eSpace V1300N

eSpace V1300N V100R002

eSpace VTM

eSpace VTM V100R001

FusionAccess

FusionAccess V100R005C10

FusionCompute

FusionCompute V100R003C00/C10

FusionManager

FusionManager V100R003C10

FusionStorage DSware

FusionStorage V100R003C02SPC100/SPC200

GalaX8800

GalaX8800 V100R002C00/C01/C85

GTSOFTX3000

GTSOFTX3000 V200R001C01SPC100

High-Density Server

DH310 V2 V100R001C00
DH320 V2 V100R001C00
DH321 V2 V100R002C00
DH620 V2 V100R001C00
DH621 V2 V100R001C00
DH628 V2 V100R001C00
XH310 V2 V100R001C00
XH320 V2 V100R001C00
XH321 V2 V100R002C00
XH621 V2 V100R001C00

iSOC

iSOC V200R001

ManageOne

ManageOne V100R001C01/C02
ManageOne V100R002C00/C10/C20

OceanStor 18500

OceanStor 18500 V100R001C00

OceanStor 18800

OceanStor 18800 V100R001C00

OceanStor 18800F

OceanStor 18800F V100R001C00

OceanStor 9000

OceanStor 9000 V100R001C01/C10

OceanStor 9000E

OceanStor 9000E V100R001C01
OceanStor 9000E V100R002C00/C19

OceanStor CSE

OceanStor CSE V100R001C01
OceanStor CSE V100R002C00LHWY01
OceanStor CSE V100R002C00LSFM01
OceanStor CSE V100R002C10
OceanStor CSE V100R003C00

OceanStor CSS

OceanStor CSS V100R001C00/C01/C02/C03/C05
OceanStor CSS V100R002C00

OceanStor Dorado

OceanStor Dorado2100 V100R001C00
OceanStor Dorado2100 G2 V100R001C00
OceanStor Dorado5100 V100R001C00

OceanStor HDP

OceanStor HDP3500E V100R002C00
OceanStor HDP3500E V100R003C00

OceanStor HVS85T

OceanStor HVS85T V100R001C00/C99

OceanStor HVS88T

OceanStor HVS88T V100R001C00

OceanStor N8000

OceanStor N8300 V100R002C00
OceanStor N8500 V100R001C01
OceanStor N8500 V100R002C00
OceanStor N8500 V200R001C00/C10/C09/C91

OceanStor S2000

OceanStor S2300 V100R001C02

OceanStor S2200T

OceanStor S2200T V100R005C00/C01/C02/C30

OceanStor S2600

OceanStor S2600 V100R001C02
OceanStor S2600 V100R005C02

OceanStor S2600T

OceanStor S2600T V100R002C00/C01
OceanStor S2600T V100R003C00
OceanStor S2600T V100R005C00/C01/C02/C30
OceanStor S2600T V200R002C00
OceanStor S2900 V100R002C01

OceanStor S5000

OceanStor S5300 V100R001C01
OceanStor S5300 V100R005C02
OceanStor S5500 V100R001C01
OceanStor S5500 V100R005C02
OceanStor S5600 V100R001C01
OceanStor S5600 V100R005C02

OceanStor S5500T

OceanStor S3900 V100R001C00
OceanStor S3900 V100R002C00
OceanStor S5500T V100R001C00/C01
OceanStor S5500T V100R002C00/C01
OceanStor S5500T V100R003C00
OceanStor S5500T V100R005C00/C01/C02/C30
OceanStor S5500T V200R002C00

OceanStor S5600T

OceanStor S5600T V100R001C00/C01
OceanStor S5600T V100R002 C00/C01
OceanStor S5600T V100R003C00
OceanStor S5600T V100R005C00/C01/ C02/C30
OceanStor S5600T V200R002C00
OceanStor S5900 V100R001C00
OceanStor S5900 V100R002C00

OceanStor S5800T

OceanStor S5800T V100R001C00/C01
OceanStor S5800T V100R002C00/C01
OceanStor S5800T V100R003C00
OceanStor S5800T V100R005C00/C01/C02/C30
OceanStor S5800T V200R002C00
OceanStor S5800T V200R001C00
OceanStor S5800T V200R002C00/C10/C20
OceanStor S6900 V100R001C00
OceanStor S6900 V100R002C00

OceanStor S6800

OceanStor S6800E V100R005C02

OceanStor S6800T

OceanStor S6800T V100R001C00/C01
OceanStor S6800T V100R002C00/C01
OceanStor S6800T V100R003C00
OceanStor S6800T V100R005C00/C01/C02/C30
OceanStor S6800T V200R002C00

OceanStor SNS

OceanStor SNS2120 V100R001C00
OceanStor SNS5120 V100R001C00

OceanStor UDS

OceanStor UDS V100R001C00
OceanStor UDS V100R002C00/C01
OceanStor UDS V100R002C00LVDF01

OceanStor V1000

OceanStor V1500 V100R001C02
OceanStor V1800 V100R001C02

OceanStor VIS6600

OceanStor VIS6600 V100R002C02
OceanStor S8100 V100R002C01
OceanStor VIS6600T V200R003C10

OceanStor VTL

OceanStor VTL3500 V100R002C01
OceanStor VTL6000 V100R003C01/C02
OceanStor VTL6900 V100R005C00

OIC

OIC V100R001

OMM Solution

OMM Solution V100R001

Rack server

RH1288 V2 V100R002C00
RH2285 V2 V100R002C00
RH2285H V2 V100R002C00
RH2288 V2 V100R002C00
RH2288E V2 V100R002C00
RH2288H V2 V100R002C00
RH2485 V2 V100R002C00
RH5885 V2 V100R001C00
RH5885 V3 V100R003C00
RH5885H V3 V100R003C00

SIG9800

SIG9800-X16 V300R001C00
SIG9800-X16 V300R002C10

UMA

UMA V100R001
UMA V200R001

UMA-DB

UMA-DB V100R001

VAE

VAE V100R001C01

eSpace VCN3000

eSpace VCN3000 V100R001

DC

DC V100R002

NVS

NVS V100R002

eSight

eSight V300R001C00

eSight V300R001C10

The following Huawei products Confirmed Not Vulnerable:

Product Name

AR/NE16EX-8 series Router

BMA/ CH242 V3/ RH2288 V3 / RH8100 V3

CloudEngine series LAN Switch and S series LAN Switch

Eudemon/ SVN/ USG/ NIP/ ASG/ AntiDDoS/ AVE/ SRG/ WAF series Firewall

FusionInsight

IAD series Unified Communications

IPC series camera

OceanStor Dorado V3/ OceanStor InfraControl / OceanStor ReplicationDirector / OceanStor UltraVR/ UltraPath

TE series

Telepresence series

U1900 series IP-PBX

UAP33/21 series

VDesktop6000

WLAN series

Workarounds:

The network level mitigation measures based on the described below can help some customers to reduce the risks:

The latest signatures(IPS_H20011000_2014092600/ IPS_H20011001_2014092608/ IPS_H20010000_2014092605) which used for Huawei NGFW (Next Generation Firewall) products and data center firewall that integrated with Intrusion Protection System (IPS) module have been released on 9/26; the upgrade can be used for detection and prevent the bash vulnerability from network.

 

2014-11-04 V2.1 UPDATED updated list of affected products

2014-10-29 V2.0 UPDATED updated list of affected products

2014-10-28 V1.9 UPDATED updated list of affected products

2014-10-25 V1.8 UPDATED updated list of affected products and give SA link

2014-10-10 V1.7 UPDATED updated list of affected products

2014-10-02 V1.6 UPDATED updated list of products not affected

2014-09-30 V1.5 UPDATED updated list of products not affected

2014-09-30 V1.4 UPDATED added list of products not affected

2014-09-29 V1.3 UPDATED updated list of affected products

2014-09-28 V1.2 UPDATED updated list of affected products

2014-09-26 V1.1 UPDATED added workarounds and list of affected products

2014-09-25 V1.0 INITIAL

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism. Please report to Huawei PSIRT at psirt@huawei.com if you find any security vulnerability of Huawei products.