Security Advisory - Information Disclosure Vulnerability in CIDAM Protocol on Huawei Products
- SA No:huawei-sa-20171220-01-cidam
- Initial Release Date: Dec 20, 2017
- Last Release Date: Dec 20, 2017
Part of Huawei Products use the CIDAM protocol, which contains sensitive information in the message when it is implemented. So these products has an information disclosure vulnerability. An authenticated remote attacker could track and get the message of a target system. Successful exploit could allow the attacker to get the information and cause the sensitive information disclosure. (Vulnerability ID: HWPSIRT-2017-08146)
This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-17303.
Huawei has released software updates to fix this vulnerability. This advisory is available at the following link:http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171220-01-cidam-en
|
Product Name |
Affected Version |
Resolved Product and Version |
|
DP300 |
V500R002C00 |
V500R002C00SPCb00 |
|
V500R002C00B010 |
||
|
V500R002C00B011 |
||
|
V500R002C00B012 |
||
|
V500R002C00B013 |
||
|
V500R002C00B014 |
||
|
V500R002C00B017 |
||
|
V500R002C00B018 |
||
|
V500R002C00SPC100 |
||
|
V500R002C00SPC200 |
||
|
V500R002C00SPC300 |
||
|
V500R002C00SPC400 |
||
|
V500R002C00SPC500 |
||
|
V500R002C00SPC600 |
||
|
V500R002C00SPC800 |
||
|
V500R002C00SPC900 |
||
|
V500R002C00SPCa00 |
||
|
RP200 |
V500R002C00SPC200 |
Upgrade to TE30 V600R006C00SPC400 |
|
V600R006C00 |
TE30 V600R006C00SPC400 |
|
|
V600R006C00SPC200 |
||
|
V600R006C00SPC300 |
||
|
TE30 |
V100R001C10SPC300 |
Upgrade to TE30 V600R006C00SPC400 |
|
V100R001C10SPC500 |
||
|
V100R001C10SPC600 |
||
|
V100R001C10SPC700B010 |
||
|
V500R002C00SPC200 |
||
|
V500R002C00SPC500 |
||
|
V500R002C00SPC600 |
||
|
V500R002C00SPC700 |
||
|
V500R002C00SPC900 |
||
|
V500R002C00SPCb00 |
||
|
V600R006C00 |
TE30 V600R006C00SPC400 |
|
|
V600R006C00SPC200 |
||
|
V600R006C00SPC300 |
||
|
TE40 |
V500R002C00SPC600 |
Upgrade to TE40 V600R006C00SPC400 |
|
V500R002C00SPC700 |
||
|
V500R002C00SPC900 |
||
|
V500R002C00SPCb00 |
||
|
V600R006C00 |
TE40 V600R006C00SPC400 |
|
|
V600R006C00SPC200 |
||
|
V600R006C00SPC300 |
||
|
TE50 |
V500R002C00SPC600 |
Upgrade to TE50 V600R006C00SPC400 |
|
V500R002C00SPC700 |
||
|
V500R002C00SPCb00 |
||
|
V600R006C00 |
TE50 V600R006C00SPC400 |
|
|
V600R006C00SPC200 |
||
|
V600R006C00SPC300 |
||
|
TE60 |
V100R001C10 |
Upgrade to TE60 V600R006C00SPC400 |
|
V100R001C10B001 |
||
|
V100R001C10B002 |
||
|
V100R001C10B010 |
||
|
V100R001C10B011 |
||
|
V100R001C10B012 |
||
|
V100R001C10B013 |
||
|
V100R001C10B014 |
||
|
V100R001C10B016 |
||
|
V100R001C10B017 |
||
|
V100R001C10B018 |
||
|
V100R001C10B019 |
||
|
V100R001C10SPC400 |
||
|
V100R001C10SPC500 |
||
|
V100R001C10SPC600 |
||
|
V100R001C10SPC700 |
||
|
V100R001C10SPC800B011 |
||
|
V100R001C10SPC900 |
||
|
V500R002C00 |
||
|
V500R002C00B010 |
||
|
V500R002C00B011 |
||
|
V500R002C00SPC100 |
||
|
V500R002C00SPC200 |
||
|
V500R002C00SPC300 |
||
|
V500R002C00SPC600 |
||
|
V500R002C00SPC700 |
||
|
V500R002C00SPC800 |
||
|
V500R002C00SPC900 |
||
|
V500R002C00SPCa00 |
||
|
V500R002C00SPCb00 |
||
|
V500R002C00SPCd00 |
||
|
V500R002C00SPCe00 |
||
|
V600R006C00 |
TE60 V600R006C00SPC400 |
|
|
V600R006C00SPC100 |
||
|
V600R006C00SPC200 |
||
|
V600R006C00SPC300 |
Successful exploit could allow the attacker to get the information and cause the sensitive information disclosure.
The vulnerability classification has been performed by using the CVSSv3 scoring system (http://www.first.org/cvss/specification-document).
Base Score: 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N) Temporal Score: 4.6 (E:F/RL:O/RC:C)This vulnerability can be exploited only when the following conditions are present:
1. Attacker can connect to the devices.
2. The attacker must get the right of user of device.
Vulnerability details:
Part of Huawei Products use the CIDAM protocol, which contains sensitive information in the message when it is implemented. So these products has an information disclosure vulnerability. An authenticated remote attacker could track and get the message of a target system. Successful exploit could allow the attacker to get the information and cause the sensitive information disclosure.
Customers should contact Huawei TAC (Huawei Technical Assistance Center) to request the upgrades. For TAC contact information, please refer to Huawei worldwide website at http://www.huawei.com/en/psirt/report-vulnerabilities.
This vulnerability was discovered by Huawei internal tester.
2017-12-20 V1.0 INITIAL
None
Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.
To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.
To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.
