#VU330 Authentication bypass in Huawei products - CVE-2014-9222
Published: August 19, 2016
Vulnerability identifier: #VU330
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber
CVE-ID: CVE-2014-9222
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
RomPager
HG520c
HG530
RomPager
HG520c
HG530
Software vendor:
Allegro Software
Huawei
Allegro Software
Huawei
Description
The vulnerability allows a remote attacker to bypass authentication mechanisms.
The vulnerability exists due to a design error when handling cookies. A remote unauthenticated attacker can send specially crafted cookie, bypass authentication mechanisms and gain complete control over the affected device. This exploitation technique is known as "Misfortune Cookie".
Successful exploitation of this vulnerability may allow a remote attacker to gain complete control over the vulnerable device.
Remediation
The vulnerability is fixed in version 4.34.