#VU22780 Input validation error in Huawei Hardware solutions


Published: 2019-11-14 | Updated: 2019-11-15

Vulnerability identifier: #VU22780

Vulnerability risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-5268

CWE-ID: CWE-20

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
Huawei CD10-10
Hardware solutions / Routers for home users
Huawei CD16-10
Hardware solutions / Routers for home users
Huawei WS5102-10
Hardware solutions / Routers for home users
Huawei WS5106-10
Hardware solutions / Routers for home users
Huawei WS5108-10
Hardware solutions / Routers for home users
Huawei WS5200-10
Hardware solutions / Routers for home users
Huawei WS5200-11
Hardware solutions / Routers for home users
Huawei WS5280-10
Hardware solutions / Routers for home users
Huawei WS5280-11
Hardware solutions / Routers for home users
Huawei WS6500-10
Hardware solutions / Routers for home users
Huawei WS6500-11
Hardware solutions / Routers for home users
Huawei WS826-10
Hardware solutions / Routers for home users
Huawei WS5100-10
Hardware solutions / Routers for home users
Huawei TC5200-10
Hardware solutions / Routers for home users
Huawei HiRouter-H1-10
Hardware solutions / Routers for home users
Huawei HiRouter-CD30-11
Hardware solutions / Routers for home users
Huawei HiRouter-CD30-10
Hardware solutions / Routers for home users
Huawei HiRouter-CD21-16
Hardware solutions / Routers for home users
Huawei HiRouter-CD20-10
Hardware solutions / Routers for home users
Huawei HiRouter-CD15-10
Hardware solutions / Routers for home users
Huawei CD18-10
Hardware solutions / Routers for home users
Huawei CD17-10
Hardware solutions / Routers for home users

Vendor: Huawei

Description

The vulnerability allows a local user to upload arbitrary files.

The vulnerability exists due to insufficient validation of user-supplied input. An authenticated attacker on adjacent network with access to the device can send a specially crafted packet to obtain files in the device and upload files to some directories.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Huawei CD10-10: 10.0.2.2

Huawei CD16-10: 10.0.2.3

Huawei WS5102-10: 10.0.2.2

Huawei WS5106-10: 10.0.2.2

Huawei WS5108-10: 10.0.2.2

Huawei WS5200-10: 9.0.3.9 - 10.0.2.2(C05)

Huawei WS5200-11: 9.0.3.11 - 10.0.2.3

Huawei WS5280-10: 9.0.3.22

Huawei WS5280-11: 9.0.3.22

Huawei WS6500-10: 10.0.2.3

Huawei WS6500-11: 10.0.2.2

Huawei WS826-10: 9.0.3.11

Huawei WS5100-10: 9.0.3.11

Huawei TC5200-10: 10.0.2.3

Huawei HiRouter-H1-10: 9.0.3.11

Huawei HiRouter-CD30-11: 10.0.2.8

Huawei HiRouter-CD30-10: 10.0.2.8

Huawei HiRouter-CD21-16: 9.0.3.9

Huawei HiRouter-CD20-10: 9.0.3.9

Huawei HiRouter-CD15-10: 9.0.2.3

Huawei CD18-10: 9.0.2.23

Huawei CD17-10: 9.0.3.3


External links
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20191113-01-homerouter-en


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability