Vulnerability CVE-2017-17138


Published: 2018-03-05

Description:
PEM module of DP300 V500R002C00; IPS Module V500R001C00; V500R001C30; NGFW Module V500R001C00; V500R002C00; NIP6300 V500R001C00; V500R001C30; NIP6600 V500R001C00; V500R001C30; RP200 V500R002C00; V600R006C00; S12700 V200R007C00; V200R007C01; V200R008C00; V200R009C00; V200R010C00; S1700 V200R006C10; V200R009C00; V200R010C00; S2700 V200R006C10; V200R007C00; V200R008C00; V200R009C00; V200R010C00; S5700 V200R006C00; V200R007C00; V200R008C00; V200R009C00; V200R010C00; S6700 V200R008C00; V200R009C00; V200R010C00; S7700 V200R007C00; V200R008C00; V200R009C00; V200R010C00; S9700 V200R007C00; V200R007C01; V200R008C00; V200R009C00; V200R010C00; Secospace USG6300 V500R001C00; V500R001C30; Secospace USG6500 V500R001C00; V500R001C30; Secospace USG6600 V500R001C00; V500R001C30S; TE30 V100R001C02; V100R001C10; V500R002C00; V600R006C00; TE40 V500R002C00; V600R006C00; TE50 V500R002C00; V600R006C00; TE60 V100R001C01; V100R001C10; V500R002C00; V600R006C00; TP3106 V100R002C00; TP3206 V100R002C00; V100R002C10; USG9500 V500R001C00; V500R001C30; ViewPoint 9030 V100R011C02; V100R011C03 has a DoS vulnerability in PEM module of Huawei products due to insufficient verification. An authenticated local attacker can make processing into deadloop by a malicious certificate. The attacker can exploit this vulnerability to cause a denial of service.

Type:

CWE-20

(Improper Input Validation)

Vendor: Huawei
Product: Te50 firmware 
Version: v600r006c00; v500r002c00;
Product: Te60 firmware 
Version:
v600r006c00
v500r002c00
v100r001c10
v100r001c02
Product: Te30 firmware 
Version:
v600r006c00
v500r002c00
v100r001c10
v100r001c02
Product: Te40 firmware 
Version: v600r006c00; v500r002c00;
Product: Rp200 firmware 
Version: v600r006c00; v500r002c00;
Product: Dp300 firmware 
Version: v500r002c00;
Product: Ngfw module firmware 
Version: v500r002c00; v500r001c00;
Product: Secospace usg6600 firmware 
Version: v500r001c30s; v500r001c00;
Product: Secospace usg6500 firmware 
Version: v500r001c30; v500r001c00;
Product: Ips module firmware 
Version: v500r001c30; v500r001c00;
Product: Usg9500 firmware 
Version: v500r001c30; v500r001c00;
Product: Nip6300 firmware 
Version: v500r001c30; v500r001c00;
Product: Nip6600 firmware 
Version: v500r001c30; v500r001c00;
Product: Secospace usg6300 firmware 
Version: v500r001c30; v500r001c00;
Product: S6700 firmware 
Version:
v200r010c00
v200r009c00
v200r008c00
Product: S5700 firmware 
Version:
v200r010c00
v200r009c00
v200r008c00
v200r007c00
v200r006c00
Product: S2700 firmware 
Version:
v200r010c00
v200r009c00
v200r008c00
v200r007c00
v200r006c10
Product: S1700 firmware 
Version:
v200r010c00
v200r009c00
v200r006c10
Product: S9700 firmware 
Version:
v200r010c00
v200r009c00
v200r008c00
v200r007c01
v200r007c00
Product: S7700 firmware 
Version:
v200r010c00
v200r009c00
v200r008c00
v200r007c00
Product: S12700 firmware 
Version:
v200r010c00
v200r009c00
v200r008c00
v200r007c01
v200r007c00
Product: Viewpoint 9030 firmware 
Version: v100r011c03; v100r011c02;
Product: Tp3206 firmware 
Version: v100r002c10; v100r002c00;
Product: Tp3106 firmware 
Version: v100r002c00;

CVSS2 => (AV:L/AC:L/Au:N/C:N/I:N/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
2.1/10
2.9/10
3.9/10
Exploit range
Attack complexity
Authentication
Local
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
None
Partial

 References:
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171206-01-pem-en

Related CVE
CVE-2019-5289
Gauss100 OLTP database in ManageOne with versions of 6.5.0 have an out-of-bounds read vulnerability due to the insufficient checks of the specific packet length. Attackers can construct invalid packets to attack the active and standby communication c...
CVE-2019-5280
The SIP TLS module of Huawei CloudLink Phone 7900 with V600R019C10 has a TLS certificate verification vulnerability. Due to insufficient verification of specific parameters of the TLS server certificate, attackers can perform man-in-the-middle attack...
CVE-2019-5223
PCManager 9.1.3.1 has an improper authentication vulnerability. The certain driver interface of the software does not perform a validation of user-mode data properly, successful exploit could result in malicious code execution.
CVE-2019-5236
Huawei smart phones Emily-L29C with versions of 8.1.0.132a(C432), 8.1.0.135(C782), 8.1.0.154(C10), 8.1.0.154(C461), 8.1.0.154(C635), 8.1.0.156(C185), 8.1.0.156(C605), 8.1.0.159(C636) have a double free vulnerability. An attacker can trick a user to c...
CVE-2019-5222
There is an information disclosure vulnerability on Secure Input of certain Huawei smartphones in Versions earlier than Tony-AL00B 9.1.0.216(C00E214R2P1). The Secure Input does not properly limit certain system privilege. An attacker tricks the user ...
CVE-2019-5245
HiSuite 9.1.0.300 versions and earlier contains a DLL hijacking vulnerability. This vulnerability exists due to some DLL file is loaded by HiSuite improperly. And it allows an attacker to load this DLL file of the attacker's choosing that could execu...
CVE-2019-5243
There is a Clickjacking vulnerability in Huawei HG255s product. An attacker may trick user to click a link and affect the integrity of a device by exploiting this vulnerability.
CVE-2019-5242
There is a code execution vulnerability in Huawei PCManager versions earlier than PCManager 9.0.1.50. The attacker can tricking a user to install and run a malicious application to exploit this vulnerability. Successful exploitation may cause the att...

Copyright 2019, cxsecurity.com

 

Back to Top