Corporate Worldwide

Back to Main Menu

Huawei Websites

Corporate: Corporate news and information

Consumer: Phones, laptops, tablets, wearables & other devices

Enterprise: Enterprise products, solutions & services

Carrier: Products, solutions & services for carrier networks

Huawei Cloud: Cloud products, solutions & services

Select a Country or Region

Security Advisory - NTPd Security Vulnerability in Multiple Huawei Products

SA No:Huawei-SA-20150316-01-NTPd
Initial Release Date: 2015-03-16
Last Release Date: 2015-04-15

Summary

Huawei was notified about information released by NTP.org and CERT/CC regarding stack buffer overflow security vulnerabilities (CVE-2014-9295) in NTP daemon (ntpd) on December 19th, 2014. Multiple stack-based buffer overflows in ntpd in NTP before 4.2.8 allow remote attackers to execute arbitrary code via a crafted packet.

Multiple Huawei products have this vulnerability. ( Vulnerability ID: HWPSIRT-2014-1276)

The NVD link is: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9295

Software Versions and Fixes

Product name	Affected Version	Resolved Product and Version
Campus Controller	V100R001C00B001	V100R001C00SPC300B012
DC	V100R002C01SPC001	Suse Patch
eSight Network	V200R003C01/C10 V200R005C00	Suse Patch
eSpace DCM	V100R001C01LSTH06SPC002 V100R001C02/C03 V100R002C01	Suse Patch
eSpace IVS	V100R001C02	Suse Patch
FusionAccess	V100R005C10	Upgrade to V100R005C20SPC101
FusionAccess	V100R005C20	V100R005C20SPC101
FusionCube	V100R002C01SPC100 V100R002C02SPC100 V100R002C02SPC200 V100R002C02SPC300	Suse Patch
FusionStorage DSware	V100R003C02	V100R003C02SPC302
ManageOne SC	V100R002C20	Suse Patch
ManageOne	V100R002C00/C10	Suse Patch
OceanStor 18500	V100R001C00	V100R001C20SPC200
OceanStor 18800	V100R001C00	V100R001C20SPC200
OceanStor 18800F	V100R001C00	V100R001C20SPC200
OceanStor HDP3500E	V100R003C00	V100R003C00SPH505
OceanStor HVS85T	V100R001C00	V100R001C20SPC200
OceanStor HVS88T	V100R001C00	V100R001S20SPC200
OceanStor S2600T	V200R002C00	V200R002C20SPC200
OceanStor S5500T	V200R002C00	V200R002C20SPC200
OceanStor S5600T	V200R002C00	V200R002C20SPC200
OceanStor S5800T	V200R002C00	V200R002C20SPC200
OceanStor S6800T	V200R002C00	V200R002C20SPC200
OceanStor UDS	V100R002C00	Upgrade to V100R002C01SPC102
OceanStor UDS	V100R002C01	V100R002C01SPC102

Impact

This vulnerability allows remote attackers to execute arbitrary code via a crafted packet.

Vulnerability Scoring Details

The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/).

Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Temporal Score: 5.9 (E:P/RL:O/RC:C)

Technique Details

For additional details, customers are advised to reference the website:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9295

Temporary Fix

None

Obtaining Fixed Software

Customers should contact Huawei TAC (Huawei Technical Assistance Center) to request the upgrades, or obtain them through Huawei worldwide website at (http://support.huawei.com/enterprise). For TAC contact information, please refer to Huawei worldwide website at http://www.huawei.com/en/security/psirt/report-vulnerabilities/index.htm.

Exploitation and Vulnerability Source

This vulnerability was disclosed firstly by NTP.org and CERT/CC.

Contacts for Technique Issue

For security problems about Huawei products and solutions, please contact PSIRT@huawei.com.

For general problems about Huawei products and solutions, please directly contact Huawei TAC (Huawei Technical Assistance Center) to request the configuration or technical assistance.

Revision History

2015-04-15 V1.1 UPDATED updated list of affected products

2015-03-16 V1.0 INITIAL

Declaration

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

Huawei Security Procedures

Complete information for providing feedback on security vulnerability of Huawei products, getting support for Huawei security incident response services, and obtaining Huawei security vulnerability information, is available on Huawei's worldwide website at http://www.huawei.com/en/security/psirt/.

Select a Country or Region

Products

Connectivity

Computing

Cloud

Services

Industry Solutions

Consumer Support

Huawei Cloud Support

Enterprise Support

Carrier Support

Partners

Training & Certification

Developers

About Us

News & Events

Explore More

SEARCH HISTORY

Security Advisory - NTPd Security Vulnerability in Multiple Huawei Products

Select a Country or Region

Connectivity

Computing

Cloud

SEARCH HISTORY

Security Advisory - NTPd Security Vulnerability in Multiple Huawei Products

Online Services

Consumer Products

Huawei Cloud

Enterprise

Carrier Network