Security Advisory-Vulnerability in Image Upload of User-defined Devices to Huawei eSight System
- SA No:Huawei-SA-20131228-03
- Initial Release Date: 2013-12-28
- Last Release Date: 2014-02-11
Huawei eSight System is an operation and maintenance system that Huawei develops for next-generation wireless/wired enterprise campus networks, enterprise branches, and data centers. When users adapt new devices for it, the server verifies the format of the files to be uploaded unsuccessfully. Therefore, attackers upload malicious code to the server. (HWPSIRT-2013-1257).
This Vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2014-1689.
|
Product name |
Version |
|
eSight |
V200R003C00 and earlier versions |
The impacts vary with the functions of uploaded malicious code, such as information loss, service interruption, and server down.
The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/).
Base Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
Temporal Score: 6.3 (E:F/RL:O/RC:C)
1. Prerequisite:
The attackers must be able to monitor communication between the user and server.
2. Attacking procedure:
The attacker uploads malicious code to the server by exploiting the vulnerability.
Upgrading version and upgrading date:
|
Product name |
Solved version |
Solved time |
|
eSight |
V200R003C01SPC200 |
Released |
This vulnerability is found by Huawei internal test engineer. The Huawei PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
For security problems about Huawei products and solutions, please contactPSIRT@huawei.com.
For general problems about Huawei products and solutions, please directly contact Huawei TAC (Huawei Technical Assistance Center) to request the configuration or technical assistance.
2014-02-11 V1.1 UPDATED update the information of CVE-ID
2013-12-28 V1.0 INITIAL
None
