Authentication bypass in Huawei products - CVE-2014-9222
Published: August 19, 2016
Vulnerability identifier: #VU330
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber
CVE-ID: CVE-2014-9222
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: Allegro Software
Huawei
Huawei
Affected software:
RomPager
HG520c
HG530
RomPager
HG520c
HG530
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass authentication mechanisms.
The vulnerability exists due to a design error when handling cookies. A remote unauthenticated attacker can send specially crafted cookie, bypass authentication mechanisms and gain complete control over the affected device. This exploitation technique is known as "Misfortune Cookie".
Successful exploitation of this vulnerability may allow a remote attacker to gain complete control over the vulnerable device.
How to mitigate CVE-2014-9222
The vulnerability is fixed in version 4.34.