Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 4 |
CVE-ID | CVE-2019-5273 CVE-2019-5275 CVE-2019-5274 CVE-2019-5272 |
CWE-ID | CWE-119 CWE-122 CWE-835 CWE-354 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
USG9500 Hardware solutions / Routers & switches, VoIP, GSM, etc |
Vendor | Huawei |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
EUVDB-ID: #VU23860
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-5273
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a flaw in the X.509 implementation. A remote attacker can use a specially crafted certificate, trigger memory corruption and cause a denial of service condition on the target system.
Install updates from vendor's website.
Vulnerable software versionsUSG9500: V500R001C30 - V500R001C60
External linkshttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20191225-01-eudemon-en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU23862
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-5275
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in the X.509 implementation. A remote attacker can use a specially crafted certificate, trigger heap-based buffer overflow and cause a denial of service on the target system.
Install updates from vendor's website.
Vulnerable software versionsUSG9500: V500R001C30 - V500R001C60
External linkshttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20191225-01-eudemon-en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU23861
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-5274
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop in the X.509 implementation. A remote attacker can use a specially crafted certificate, consume all available system resources and cause a denial of service condition on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsUSG9500: V500R001C30 - V500R001C60
External linkshttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20191225-01-eudemon-en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU23859
Risk: Medium
CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-5272
CWE-ID:
CWE-354 - Improper Validation of Integrity Check Value
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to make malicious modifications.
The vulnerability exists due to the software of the affected products does not check the integrity. A remote authenticated attacker can make malicious modifications without detection.
MitigationInstall updates from vendor's website.
Vulnerable software versionsUSG9500: V500R001C30 - V500R001C60
External linkshttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20191225-01-digital-en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.