Security Advisory - Three JSON Injection Vulnerabilities in Huawei Some Products

By exploiting this vulnerability, the attacker can obtain the management privilege of the system.

The vulnerability classification has been performed by using the CVSSv3 scoring system (http://www.first.org/cvss/specification-document).

HWPSIRT-2018-02052, HWPSIRT-2018-02053 and HWPSIRT-2018-02054:

Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Temporal Score: 8.2 (E:F/RL:O/RC:C)

HWPSIRT-2018-02052, HWPSIRT-2018-02053 and HWPSIRT-2018-02054:

This vulnerability can be exploited only when the following conditions are present:

The attacker could log in to the system as a user.

Vulnerability details:

There are three JSON injection vulnerabilities in Huawei some product. An authenticated, remote attacker can launch a JSON injection to modify the password of administrator. Due to insufficient verification of the input, this could be exploited to obtain the management privilege of the system.

Customers should contact Huawei TAC (Huawei Technical Assistance Center) to request the upgrades. For TAC contact information, please refer to Huawei worldwide website at http://www.huawei.com/en/psirt/report-vulnerabilities.

This vulnerability was discovered by Huawei internal tester.

2018-06-04 V1.1 UPDATED Updated the affected version and fix version information
2018-05-23 V1.0 INITIAL

None

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.