SB2020012409 - Multiple vulnerabilities in Some Huawei products

Description

This security bulletin contains information about 2 vulnerabilities.

1) Improper Authentication (CVE-ID: CVE-2020-1842)

CWE-ID: CWE-287 - Improper Authentication

CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local attacker to bypass authentication process.

The vulnerability exists due to insufficient authentication. An attacker with physical access to the device can perform specific operations to gain elevated privileges.

2) Insufficient verification of data authenticity (CVE-ID: CVE-2020-1843)

CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity

CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local attacker to perform an illegal operation on the target device.

The vulnerability exists due to an insufficient verification issue. An attacker with physical access can perform specific operations, leading to an illegal operation.

Remediation

Install update from vendor's website.

References

• https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200122-01-osca-en
• https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200122-02-osca-en