Insufficient verification of data authenticity in several Huawei Products



Published: 2019-12-05
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2019-5291
CWE-ID CWE-345
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Huawei AR120-S
Hardware solutions / Routers & switches, VoIP, GSM, etc

Huawei AR1200
Hardware solutions / Routers & switches, VoIP, GSM, etc

Huawei AR1200-S
Hardware solutions / Routers & switches, VoIP, GSM, etc

Huawei AR150
Hardware solutions / Routers & switches, VoIP, GSM, etc

Huawei AR150-S
Hardware solutions / Routers & switches, VoIP, GSM, etc

Huawei AR160
Hardware solutions / Routers & switches, VoIP, GSM, etc

Huawei AR200
Hardware solutions / Routers & switches, VoIP, GSM, etc

Huawei AR200-S
Hardware solutions / Routers & switches, VoIP, GSM, etc

Huawei AR2200
Hardware solutions / Routers & switches, VoIP, GSM, etc

Huawei AR2200-S
Hardware solutions / Routers & switches, VoIP, GSM, etc

Huawei AR3200
Hardware solutions / Routers & switches, VoIP, GSM, etc

Huawei AR3600
Hardware solutions / Routers & switches, VoIP, GSM, etc

Huawei NetEngine16EX
Hardware solutions / Routers & switches, VoIP, GSM, etc

Huawei S6700
Hardware solutions / Routers & switches, VoIP, GSM, etc

Huawei SRG1300
Hardware solutions / Routers & switches, VoIP, GSM, etc

Huawei SRG2300
Hardware solutions / Routers & switches, VoIP, GSM, etc

Huawei SRG3300
Hardware solutions / Routers & switches, VoIP, GSM, etc

Huawei CloudEngine 12800
Hardware solutions / Firmware

Vendor Huawei

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Insufficient verification of data authenticity

EUVDB-ID: #VU23419

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-5291

CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause the target device abnormal.

The vulnerability exists due to the target system does not verify certain parameters sufficiently. A remote attacker can intercept specific packets between two devices, modify the packets, send the modified packets to the peer device and cause the target device abnormal.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Huawei AR120-S: V200R005C20 - V200R008C50

Huawei AR1200: V200R005C00 - V200R007C00

Huawei AR1200-S: V200R005C20 - V200R008C50

Huawei AR150: V200R005C20 - V200R008C50

Huawei AR150-S: V200R005C20 - V200R008C50

Huawei AR160: V200R005C20 - V200R008C50

Huawei AR200: V200R005C20 - V200R008C50

Huawei AR200-S: V200R005C20 - V200R008C50

Huawei AR2200: V200R005C20 - V200R008C50

Huawei AR2200-S: V200R005C20 - V200R008C50

Huawei AR3200: V200R005C20 - V200R008C50

Huawei AR3600: V200R006C10 - V200R008C50

Huawei NetEngine16EX: V200R005C20 - V200R008C50

Huawei S6700: V200R008C00 - V200R011C00SPC200

Huawei SRG1300: V200R005C20 - V200R008C50

Huawei SRG2300: V200R005C20 - V200R008C50

Huawei SRG3300: V200R005C20 - V200R008C50

Huawei CloudEngine 12800: V200R002C10 - V200R002C20

External links

http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20191204-01-validation-en


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###