This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy

Security Advisory-Multiple Vulnerabilities on Huawei Tecal

  • SA No:Huawei-SA-20141224-01-Tecal
  • Initial Release Date: Dec 24, 2014
  • Last Release Date: Feb 26, 2015

Some Huawei server products have multiple security vulnerabilities.
1.Some Huawei server products have the sensitive information leak vulnerability. Users who log in to the products can view the sessions IDs of all online users on the Online Users page of the web UI. Attackers can also view the session IDs of users and access the system with forged identities (vulnerability ID: HWPSIRT-2014-11109).
This vulnerability has been assigned a CVE ID: CVE-2014-9691.
2.Some Huawei server products have the insufficiently random RMCP+ session ID vulnerability. The products can use only few limited RMCP+ session IDs. Attackers can figure out the RMCP+ session IDs of users and access the system with forged identities (vulnerability ID: HWPSIRT-2014-11113).
This vulnerability has been assigned a CVE ID: CVE-2014-9692.
3.Some Huawei server products have the cache overflow vulnerability. When processing some packets from the DNS server, the products do not identify the data length. Attackers can exploit the vulnerability to execute arbitrary code or restart the system (vulnerability ID: HWPSIRT-2014-11114).
This vulnerability has been assigned a CVE ID: CVE-2014-9693.
4.Some Huawei server products have the CSRF vulnerability. The products do not use the Token mechanism for web access control. When users log in to the Huawei servers and access websites containing the malicious CSRF script, the CSRF script is executed, which may cause configuration tampering and system restart (HWPSIRT-2014-11115).
This vulnerability has been assigned a CVE ID: CVE-2014-9694.

Product name

Affected Version

Resolved Product and Version

Tecal RH1288 V2

V100R002C00SPC107 and earlier versions

V100R002C00SPC116

Tecal RH2265 V2

V100R002C00

Upgrade to RH2285 V2 V100R002C00SPC116

Tecal RH2285 V2

V100R002C00SPC115 and earlier versions

V100R002C00SPC116

Tecal RH2265 V2

V100R002C00

Upgrade to RH2285H V2 V100R002C00SPC112

Tecal RH2285H V2

V100R002C00SPC111 and earlier versions

V100R002C00SPC112

Tecal RH2268 V2

V100R002C00

Upgrade to RH2288 V2 V100R002C00SPC118

Tecal RH2288 V2

V100R002C00SPC117 and earlier versions

V100R002C00SPC118

Tecal RH2288H V2

V100R002C00SPC115 and earlier versions

V100R002C00SPC116

Tecal RH2485 V2

V100R002C00SPC502 and earlier versions

V100R002C00SPC503

Tecal RH5885 V2

V100R001C02SPC109 and earlier versions

V100R001C02SPC110

Tecal RH5885 V3

V100R003C01SPC102 and earlier versions

V100R003C01SPC103

Tecal RH5885H V3

V100R003C00SPC102 and earlier versions

V100R003C00SPC103

Tecal XH310 V2

V100R001C00SPC110 and earlier versions

V100R001C00SPC111

Tecal XH311 V2

V100R001C00SPC110 and earlier versions

V100R001C00SPC111

Tecal XH320 V2

V100R001C00SPC110 and earlier versions

V100R001C00SPC111

Tecal XH621 V2

V100R001C00SPC106 and earlier versions

V100R001C00SPC107

Tecal DH310 V2

V100R001C00SPC110 and earlier versions

V100R001C00SPC111

Tecal DH320 V2

V100R001C00SPC106 and earlier versions

V100R001C00SPC107

Tecal DH620 V2

V100R001C00SPC106 and earlier versions

V100R001C00SPC107

Tecal DH621 V2

V100R001C00SPC107 and earlier versions

V100R001C00SPC107

Tecal DH628 V2

V100R001C00SPC107 and earlier versions

V100R001C00SPC107

Tecal BH620 V2

V100R002C00SPC107 and earlier versions

V100R002C00SPC107

Tecal BH621 V2

V100R002C00SPC106 and earlier versions

V100R002C00SPC107

Tecal BH622 V2

V100R002C00SPC110  and earlier versions

V100R002C00SPC111

Tecal BH640 V2

V100R002C00SPC108 and earlier versions

V100R002C00SPC109

Tecal CH121

V100R001C00SPC180 and earlier versions

V100R001C00SPC200

Tecal CH140

V100R001C00SPC110 and earlier versions

V100R001C00SPC130

Tecal CH220

V100R001C00SPC180 and earlier versions

V100R001C00SPC200

Tecal CH221

V100R001C00SPC180 and earlier versions

V100R001C00SPC200

Tecal CH222

V100R002C00SPC180 and earlier versions

V100R002C00SPC200

Tecal CH240

V100R001C00SPC180 and earlier versions

V100R001C00SPC200

Tecal CH242

V100R001C00SPC180 and earlier versions

V100R001C00SPC200

Tecal CH242 V3

V100R001C00SPC110 and earlier versions

V100R001C00SPC130

HWPSIRT-2014-11109:

Attackers can exploit the vulnerability to access the system with forged identities.

HWPSIRT-2014-11113:

Attackers can exploit the vulnerability to access the system with forged identities.

HWPSIRT-2014-11114:

Attackers can exploit the vulnerability to execute arbitrary code or restart the system.

HWPSIRT-2014-11115:

Attackers can exploit the vulnerability to tamper with the server configuration or restart the system.

The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/).

HWPSIRT-2014-11109:

Base Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)

Temporal Score: 3.3 (E:F/RL:O/RC:C)

HWPSIRT-2014-11113:

Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Temporal Score: 4.1 (E:F/RL:O/RC:C)

HWPSIRT-2014-11114:

Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Temporal Score: 6.2 (E:F/RL:O/RC:C)

HWPSIRT-2014-11115:

Base Score: 8.5 (AV:N/AC:L/Au:N/C:N/I:P/A:C)

Temporal Score: 7.0 (E:F/RL:O/RC:C)

HWPSIRT-2014-11109:
1.Prerequisites:
Attackers can access the web UI of the server.
2.Attacking procedure:
Attackers log in to the web UI, view the session IDs of users on the Online Users page, and use the session IDs to impersonate the users to access the system.
HWPSIRT-2014-11113:
1.Prerequisites:
Attackers can access the web UI of the server.
2.Attacking procedure:
Attackers figure out the session IDs of users and use the session IDs to impersonate the users to access the system.
HWPSIRT-2014-11114:
1.Prerequisites:
Attackers can impersonate the victim DNS server.
2.Attacking procedure:
When the server initiates a DNS request, attackers reply to the request with a specific DNS packet.
HWPSIRT-2014-11115:
1.Prerequisites:
Attackers construct websites containing a malicious script, and the websites are accessible to servers that are affected by the vulnerability.
2.Attacking procedure:
Attackers construct websites containing a malicious script and then trick users into logging in to the server to access the website.
Customers should contact Huawei TAC (Huawei Technical Assistance Center) to request the upgrades. For TAC contact information, please refer to Huawei worldwide website at http://www.huawei.com/en/security/psirt/report-vulnerabilities/index.htm.


This vulnerability was found firstly by Huawei internal tester. Huawei PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.

For security problems about Huawei products and solutions, please contactPSIRT@huawei.com.

For general problems about Huawei products and solutions, please directly contact Huawei TAC (Huawei Technical Assistance Center) to request the configuration or technical assistance.


2015-02-26 V1.2 UPDATED update the affected version

2015-02-15 V1.1 UPDATED update the affected version

2014-12-24 V1.0 INITIAL

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.


Complete information for providing feedback on security vulnerability of Huawei products, getting support for Huawei security incident response services, and obtaining Huawei security vulnerability information, is available on Huawei's worldwide website at http://www.huawei.com/en/security/psirt/.