This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy (update in May 2018) >

Security Advisory - NTPd Security Vulnerability in Multiple Huawei Products

  • SA No:Huawei-SA-20150316-01-NTPd
  • Initial Release Date: Mar 16, 2015
  • Last Release Date: Apr 15, 2015

 
Huawei was notified about information released by NTP.org and CERT/CC regarding stack buffer overflow security vulnerabilities (CVE-2014-9295) in NTP daemon (ntpd) on December 19th, 2014. Multiple stack-based buffer overflows in ntpd in NTP before 4.2.8 allow remote attackers to execute arbitrary code via a crafted packet.

Multiple Huawei products have this vulnerability. ( Vulnerability ID: HWPSIRT-2014-1276)

The NVD link is: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9295

Product name

Affected Version

Resolved Product and Version

Campus Controller

V100R001C00B001

V100R001C00SPC300B012

DC

V100R002C01SPC001

Suse Patch

eSight Network

V200R003C01/C10
V200R005C00

Suse Patch

eSpace DCM

V100R001C01LSTH06SPC002
V100R001C02/C03
V100R002C01

Suse Patch

eSpace IVS

V100R001C02

Suse Patch

FusionAccess

V100R005C10

Upgrade to V100R005C20SPC101

V100R005C20

V100R005C20SPC101

FusionCube

V100R002C01SPC100
V100R002C02SPC100
V100R002C02SPC200
V100R002C02SPC300

Suse Patch

FusionStorage DSware

V100R003C02

V100R003C02SPC302

ManageOne SC

V100R002C20

Suse Patch

ManageOne

V100R002C00/C10

Suse Patch

OceanStor 18500

V100R001C00

V100R001C20SPC200

OceanStor 18800

V100R001C00

V100R001C20SPC200

OceanStor 18800F

V100R001C00

V100R001C20SPC200

OceanStor HDP3500E

V100R003C00

V100R003C00SPH505

OceanStor HVS85T

V100R001C00

V100R001C20SPC200

OceanStor HVS88T

V100R001C00

V100R001S20SPC200

OceanStor S2600T

V200R002C00

V200R002C20SPC200

OceanStor S5500T

V200R002C00

V200R002C20SPC200

OceanStor S5600T

V200R002C00

V200R002C20SPC200

OceanStor S5800T

V200R002C00

V200R002C20SPC200

OceanStor S6800T

V200R002C00

V200R002C20SPC200

OceanStor UDS

V100R002C00

Upgrade to  V100R002C01SPC102

V100R002C01

V100R002C01SPC102


This vulnerability allows remote attackers to execute arbitrary code via a crafted packet.

The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/).

Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 

Temporal Score: 5.9 (E:P/RL:O/RC:C)

For additional details, customers are advised to reference the website:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9295

Customers should contact Huawei TAC (Huawei Technical Assistance Center) to request the upgrades, or obtain them through Huawei worldwide website at (http://support.huawei.com/enterprise). For TAC contact information, please refer to Huawei worldwide website at http://www.huawei.com/en/security/psirt/report-vulnerabilities/index.htm.

This vulnerability was disclosed firstly by NTP.org and CERT/CC.

For security problems about Huawei products and solutions, please contact PSIRT@huawei.com.

For general problems about Huawei products and solutions, please directly contact Huawei TAC (Huawei Technical Assistance Center) to request the configuration or technical assistance.

2015-04-15 V1.1 UPDATED updated list of affected products

2015-03-16 V1.0 INITIAL

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

Complete information for providing feedback on security vulnerability of Huawei products, getting support for Huawei security incident response services, and obtaining Huawei security vulnerability information, is available on Huawei's worldwide website at http://www.huawei.com/en/security/psirt/.