This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy
The operation and maintenance unit (OMU) of Huawei VCN500 (Video Cloud Node) does not validate parameters of received HTTP requests, which allows an attacker to launch the SQL injection attack against VCN500 by sending manually crafted packets. (Vulnerability ID: HWPSIRT-2015-09016)
This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2015-8334.
Huawei has released software updates to fix this vulnerability. This advisory is available at the following link:
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-463072.htm
Product Name |
Affected Version |
Resolved Product and Version |
VCN500 |
V100R002C00SPC200B010 |
V100R002C00SPC201 |
V100R002C00SPC200 |
By exploiting this vulnerability, the attacker can obtain user data from VCN500 or perform illegitimate operations.
The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/).
Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Temporal Score: 5.4 (E:F/RL:O/RC:C)
1. Prerequisites:
The attacker logs in to VCN500 as an authorized user.
2. Attacking procedure:
The attacker crafts special HTTP requests and sends them to VCN500 OMU.
For security problems about Huawei products and solutions, please contactPSIRT@huawei.com.
For general problems about Huawei products and solutions, please directly contact Huawei TAC (Huawei Technical Assistance Center) to request the configuration or technical assistance.
2015-11-26 V1.0 INITIAL
None