Security Advisory - Multiple Vulnerabilities in Some Huawei Products
- SA No:huawei-sa-20191211-01-ssp
- Initial Release Date: 2019-12-11
- Last Release Date: 2020-08-12
There is an out-of-bounds read vulnerability in some Huawei products. An attacker who logs in to the board may send crafted messages from the internal network port or tamper with inter-process message packets to exploit this vulnerability. Due to insufficient validation of the message, successful exploit may cause the affected board abnormal. (Vulnerability ID: HWPSIRT-2019-01067)
This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2019-5254.
There is a DoS vulnerability in some Huawei products. An attacker may send crafted messages from a FTP client to exploit this vulnerability. Due to insufficient validation of the message, successful exploit may cause the system out-of-bounds read and result in a denial of service condition of the affected service. (Vulnerability ID: HWPSIRT-2019-01071)
This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2019-5255.
There is a null pointer dereference vulnerability in some Huawei products. The system dereferences a pointer that it expects to be valid, but is NULL. A local attacker could exploit this vulnerability by sending crafted parameters. A successful exploit could cause a denial of service and the process reboot. (Vulnerability ID: HWPSIRT-2019-01072)
This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2019-5256.
There is a resource management vulnerability in some Huawei products. An attacker who logs in to the board may send crafted messages from the internal network port or tamper with inter-process message packets to exploit this vulnerability. Due to improper management of system resources, successful exploit may cause resource exhausted. (Vulnerability ID: HWPSIRT-2019-01073)
This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2019-5257.
There is a buffer overflow vulnerability in some Huawei products. An attacker who logs in to the board may send crafted messages from the internal network port or tamper with inter-process message packets to exploit this vulnerability. Due to insufficient validation of the message, successful exploit may cause the affected board abnormal. (Vulnerability ID: HWPSIRT-2019-01074)
This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2019-5258.
Huawei has released software updates to fix these vulnerabilities. This advisory is available at the following link:
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20191211-01-ssp-en
|
Product Name |
Affected Version |
Resolved Product and Version |
|
AP2000 |
V200R005C30 |
V200R019C00 |
|
V200R006C10 |
||
|
V200R006C10SPCa00 |
||
|
V200R006C10SPCb00 |
||
|
V200R006C10SPCc00 |
||
|
V200R006C10SPCd00 |
||
|
V200R006C20 |
||
|
V200R006C20SPC700 |
||
|
V200R006C20SPC800 |
||
|
V200R007C10 |
||
|
V200R007C10SPC300 |
||
|
V200R007C10SPC500 |
||
|
V200R007C10SPC600 |
||
|
V200R007C10SPC700 |
||
|
V200R007C10SPC800 |
||
|
V200R007C10SPC900 |
||
|
V200R007C10SPCa00 |
||
|
V200R007C10SPCb00 |
||
|
V200R007C10SPCc00 |
||
|
V200R007C20 |
||
|
V200R007C20SPC200 |
||
|
V200R007C20SPC300 |
||
|
V200R007C20SPC500 |
||
|
V200R007C20SPC700 |
||
|
V200R007C20SPC800 |
||
|
V200R007C20SPC900 |
||
|
V200R007C20SPCa00 |
||
|
V200R007C20SPCc00 |
||
|
V200R007C20SPCd00 |
||
|
V200R007C20SPCe00 |
||
|
V200R007C20SPCf00 |
||
|
V200R007C20SPCg00 |
||
|
V200R007C20SPCi00 |
||
|
V200R008C00 |
||
|
V200R008C10 |
||
|
V200R009C00 |
||
|
AR3200 |
V200R003C01SPCe00 |
V200R010C10SPC700 |
|
V200R005C20SPC100 |
||
|
V200R005C20SPC200 |
||
|
V200R005C20SPC500 |
||
|
V200R005C21 |
||
|
V200R005C30 |
||
|
V200R005C31 |
||
|
V200R005C32 |
||
|
V200R006C10 |
||
|
V200R006C11 |
||
|
V200R007C00 |
||
|
V200R007C01 |
||
|
V200R007C02 |
||
|
V200R008C00 |
||
|
V200R008C10 |
||
|
V200R008C20 |
||
|
V200R008C30 |
||
|
V200R008C50 |
||
|
V200R009C00 |
||
|
V200R009C10 |
||
|
V200R010C00 |
||
|
V300R003C00 |
||
|
V300R003C10 |
||
|
V300R019C00 |
||
|
AntiDDoS1600 |
V500R005C00 |
V500R005C00SPC200 |
|
IPS Module |
V500R001C00SPC300 |
V500R005C20SPC300 |
|
V500R001C00SPC500 |
||
|
V500R001C00SPH303 |
||
|
V500R001C00SPH508 |
||
|
V500R001C20 |
||
|
V500R001C20SPC100 |
||
|
V500R001C20SPC100PWE |
||
|
V500R001C20SPC200 |
||
|
V500R001C20SPC200B062 |
||
|
V500R001C20SPC200PWE |
||
|
V500R001C20SPC300B078 |
||
|
V500R001C20SPC300PWE |
||
|
V500R001C30 |
||
|
V500R001C30SPC100 |
||
|
V500R001C30SPC100PWE |
||
|
V500R001C30SPC200 |
||
|
V500R001C30SPC200PWE |
||
|
V500R001C30SPC300 |
||
|
V500R001C50 |
||
|
V500R001C50PWE |
||
|
V500R001C80 |
||
|
V500R005C00 |
||
|
NGFW Module |
V500R001C00SPC300 |
V500R005C20SPC300 |
|
V500R001C00SPC500 |
||
|
V500R001C00SPC500PWE |
||
|
V500R001C00SPH303 |
||
|
V500R001C00SPH508 |
||
|
V500R001C20 |
||
|
V500R001C20SPC100 |
||
|
V500R001C20SPC100PWE |
||
|
V500R001C20SPC200 |
||
|
V500R001C20SPC200B062 |
||
|
V500R001C20SPC200PWE |
||
|
V500R001C20SPC300B078 |
||
|
V500R001C20SPC300PWE |
||
|
V500R002C00 |
||
|
V500R002C00SPC100 |
||
|
V500R002C00SPC100PWE |
||
|
V500R002C00SPC200 |
||
|
V500R002C00SPC200PWE |
||
|
V500R002C00SPC300 |
||
|
V500R002C10 |
||
|
V500R002C10PWE |
||
|
V500R002C30 |
||
|
V500R002C30PWE |
||
|
V500R005C00 |
||
|
NIP6300 |
V500R001C00SPC300 |
V500R005C20SPC300 |
|
V500R001C00SPC500 |
||
|
V500R001C00SPH303 |
||
|
V500R001C00SPH508 |
||
|
V500R001C20 |
||
|
V500R001C20SPC100 |
||
|
V500R001C20SPC100PWE |
||
|
V500R001C20SPC200 |
||
|
V500R001C20SPC200B062 |
||
|
V500R001C20SPC200PWE |
||
|
V500R001C20SPC300B078 |
||
|
V500R001C20SPC300PWE |
||
|
V500R001C30 |
||
|
V500R001C30SPC100 |
||
|
V500R001C30SPC100PWE |
||
|
V500R001C30SPC200 |
||
|
V500R001C30SPC200PWE |
||
|
V500R001C30SPC300 |
||
|
V500R001C50 |
||
|
V500R001C50PWE |
||
|
V500R001C80 |
||
|
V500R005C00 |
||
|
NIP6600 |
V500R001C00SPC300 |
V500R005C20SPC300 |
|
V500R001C00SPC500 |
||
|
V500R001C00SPH303 |
||
|
V500R001C00SPH508 |
||
|
V500R001C20 |
||
|
V500R001C20SPC100 |
||
|
V500R001C20SPC100PWE |
||
|
V500R001C20SPC200 |
||
|
V500R001C20SPC200B062 |
||
|
V500R001C20SPC200PWE |
||
|
V500R001C20SPC300B078 |
||
|
V500R001C30 |
||
|
V500R001C30SPC100 |
||
|
V500R001C30SPC100PWE |
||
|
V500R001C30SPC200 |
||
|
V500R001C30SPC200PWE |
||
|
V500R001C30SPC300 |
||
|
V500R001C50 |
||
|
V500R001C50PWE |
||
|
V500R001C80 |
||
|
V500R005C00 |
||
|
NIP6800 |
V500R001C50 |
V500R005C20SPC300 |
|
V500R001C50PWE |
||
|
V500R001C80 |
||
|
V500R005C00 |
||
|
S5700 |
V200R005C03 |
V200R005SPH026 |
|
SeMG9811 |
V500R002C20 |
V500R005C20 |
|
V500R002C30 |
||
|
V500R005C00 |
||
|
Secospace AntiDDoS8000 |
V500R001C00 |
V500R005C20 |
|
V500R001C00SPC200 |
||
|
V500R001C00SPC300 |
||
|
V500R001C00SPC500 |
||
|
V500R001C00SPC600 |
||
|
V500R001C00SPC700 |
||
|
V500R001C00SPH303 |
||
|
V500R001C20SPC200 |
||
|
V500R001C20SPC300 |
||
|
V500R001C20SPC500 |
||
|
V500R001C20SPC600 |
||
|
V500R001C60SPC100 |
||
|
V500R001C60SPC101 |
||
|
V500R001C60SPC200 |
||
|
V500R001C60SPC300 |
||
|
V500R001C60SPC500 |
||
|
V500R001C60SPC600 |
||
|
V500R005C00 |
||
|
V500R005C00SPC100 |
||
|
Secospace USG6300 |
V100R001C20SPC100 |
V500R005C20SPC300 |
|
V500R001C00SPC300 |
||
|
V500R001C00SPC500 |
||
|
V500R001C00SPC500PWE |
||
|
V500R001C00SPH303 |
||
|
V500R001C00SPH508 |
||
|
V500R001C20 |
||
|
V500R001C20SPC100 |
||
|
V500R001C20SPC100PWE |
||
|
V500R001C20SPC101 |
||
|
V500R001C20SPC200 |
||
|
V500R001C20SPC200B062 |
||
|
V500R001C20SPC200PWE |
||
|
V500R001C20SPC300B078 |
||
|
V500R001C20SPC300PWE |
||
|
V500R001C30 |
||
|
V500R001C30SPC100 |
||
|
V500R001C30SPC100PWE |
||
|
V500R001C30SPC200 |
||
|
V500R001C30SPC200PWE |
||
|
V500R001C30SPC300 |
||
|
V500R001C50 |
||
|
V500R001C50PWE |
||
|
V500R001C80 |
||
|
V500R001C80PWE |
||
|
V500R005C00 |
||
|
Secospace USG6500 |
V100R001C20SPC100 |
V500R005C20SPC300 |
|
V500R001C00SPC300 |
||
|
V500R001C00SPC500 |
||
|
V500R001C00SPC500PWE |
||
|
V500R001C00SPH303 |
||
|
V500R001C00SPH508 |
||
|
V500R001C20 |
||
|
V500R001C20SPC100 |
||
|
V500R001C20SPC100PWE |
||
|
V500R001C20SPC101 |
||
|
V500R001C20SPC200 |
||
|
V500R001C20SPC200B062 |
||
|
V500R001C20SPC200PWE |
||
|
V500R001C20SPC300B078 |
||
|
V500R001C20SPC300PWE |
||
|
V500R001C30 |
||
|
V500R001C30SPC100 |
||
|
V500R001C30SPC100PWE |
||
|
V500R001C30SPC200 |
||
|
V500R001C30SPC200PWE |
||
|
V500R001C30SPC300 |
||
|
V500R001C50 |
||
|
V500R001C50PWE |
||
|
V500R001C80 |
||
|
V500R001C80PWE |
||
|
V500R005C00 |
||
|
Secospace USG6600 |
V100R001C00SPC200 |
V500R005C20SPC300 |
|
V100R001C10SPC200 |
||
|
V100R001C10SPC201 |
||
|
V100R001C20SPC100 |
||
|
V100R001C20SPC200 |
||
|
V500R001C00 |
||
|
V500R001C00SPC050 |
||
|
V500R001C00SPC090 |
||
|
V500R001C00SPC300 |
||
|
V500R001C00SPC500 |
||
|
V500R001C00SPC500PWE |
||
|
V500R001C00SPH303 |
||
|
V500R001C20 |
||
|
V500R001C20SPC100 |
||
|
V500R001C20SPC100PWE |
||
|
V500R001C20SPC101 |
||
|
V500R001C20SPC200 |
||
|
V500R001C20SPC200PWE |
||
|
V500R001C20SPC300 |
||
|
V500R001C20SPC300B078 |
||
|
V500R001C20SPC300PWE |
||
|
V500R001C30 |
||
|
V500R001C30SPC100 |
||
|
V500R001C30SPC100PWE |
||
|
V500R001C30SPC200 |
||
|
V500R001C30SPC200PWE |
||
|
V500R001C30SPC300 |
||
|
V500R001C30SPC500 |
||
|
V500R001C30SPC600 |
||
|
V500R001C30SPC600PWE |
||
|
V500R001C30SPC601 |
||
|
V500R001C50 |
||
|
V500R001C50PWE |
||
|
V500R001C50SPC009 |
||
|
V500R001C50SPC100 |
||
|
V500R001C50SPC100PWE |
||
|
V500R001C50SPC200 |
||
|
V500R001C50SPC200PWE |
||
|
V500R001C50SPC300 |
||
|
V500R001C60 |
||
|
V500R001C60SPC100 |
||
|
V500R001C60SPC100PWE |
||
|
V500R001C60SPC200 |
||
|
V500R001C60SPC200PWE |
||
|
V500R001C60SPC300 |
||
|
V500R001C60SPC500 |
||
|
V500R001C80 |
||
|
V500R001C80PWE |
||
|
V500R005C00 |
||
|
USG6000V |
V500R001C10 |
V500R005C20 |
|
V500R001C20 |
||
|
V500R003C00 |
||
|
V500R005C00 |
||
|
eSpace U1981 |
V200R003C50SPC700 |
V200R003C50SPC900 |
HWPSIRT-2019-01067:
Successful exploit may cause the affected board abnormal.
HWPSIRT-2019-01071:
Successful exploit may cause the system out-of-bounds read and result in a denial of service condition of the affected service.
HWPSIRT-2019-01072:
Successful exploit may cause a denial of service and the process reboot.
HWPSIRT-2019-01073:
Successful exploit may cause resource exhausted.
HWPSIRT-2019-01074:
Successful exploit may cause the affected board abnormal.
The vulnerability classification has been performed by using the CVSSv3 scoring system (http://www.first.org/cvss/specification-document).
HWPSIRT-2019-01067:
Base Score: 5.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
Temporal Score: 5.1 (E:F/RL:O/RC:C)
HWPSIRT-2019-01071:
Base Score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Temporal Score: 4.9 (E:F/RL:O/RC:C)
HWPSIRT-2019-01072:
Base Score: 5.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
Temporal Score: 5.1 (E:F/RL:O/RC:C)
HWPSIRT-2019-01073:
Base Score: 5.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
Temporal Score: 5.1 (E:F/RL:O/RC:C)
HWPSIRT-2019-01074:
Base Score: 5.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
Temporal Score: 5.1 (E:F/RL:O/RC:C)
HWPSIRT-2019-01067:
This vulnerability can be exploited only when the following conditions are present:
The attacker may log in to the board.
Vulnerability details:
An attacker who logs in to the board may send crafted messages from the internal network port or tamper with inter-process message packets to exploit this vulnerability. Due to insufficient validation of the message, successful exploit may cause the affected board abnormal.
HWPSIRT-2019-01071:
This vulnerability can be exploited only when the following conditions are present:
The attacker gains access to the device network.
Vulnerability details:
An attacker may send crafted messages from a FTP client to exploit this vulnerability. Due to insufficient validation of the message, successful exploit may cause the affected board out-of-bounds read and result in a denial of service condition.
HWPSIRT-2019-01072:
This vulnerability can be exploited only when the following conditions are present:
The attacker may log in to the board.
Vulnerability details:
The system dereferences a pointer that it expects to be valid, but is NULL. A local attacker could exploit this vulnerability by sending crafted parameters. A successful exploit could cause a denial of service and the process reboot.
HWPSIRT-2019-01073:
This vulnerability can be exploited only when the following conditions are present:
The attacker may log in to the board.
Vulnerability details:
An attacker who logs in to the board may send crafted messages from the internal network port or tamper with inter-process message packets to exploit this vulnerability. Due to improper management of system resources, successful exploit may cause resource exhausted.
HWPSIRT-2019-01074:
This vulnerability can be exploited only when the following conditions are present:
The attacker may log in to the board.
Vulnerability details:
An attacker who logs in to the board may send crafted messages from the internal network port or tamper with inter-process message packets to exploit this vulnerability. Due to insufficient validation of the message, successful exploit may cause the affected board abnormal.
Customers should contact Huawei TAC (Huawei Technical Assistance Center) to request the upgrades. For TAC contact information, please refer to Huawei worldwide website at http://www.huawei.com/en/psirt/report-vulnerabilities.
These vulnerabilities were discovered by Huawei internal tester.
2020-08-12 V1.3 UPDATED Updated the "Software Versions and Fixes" section;
2020-07-22 V1.2 UPDATED Updated the "Software Versions and Fixes" section;
2020-04-08 V1.1 UPDATED Updated the "Software Versions and Fixes" section;
2019-12-11 V1.0 INITIAL
None
Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.
To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.
To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.