#VU24379 Infinite loop in Huawei products - CVE-2019-19416

Vulnerability identifier: #VU24379

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green

CVE-ID: CVE-2019-19416

CWE-ID: CWE-835

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Huawei AR120-S
Huawei AR1200
Huawei AR1200-S
Huawei AR150
Huawei AR150-S
Huawei AR160
Huawei AR200
Huawei AR200-S
Huawei AR2200
Huawei AR2200-S
Huawei AR3200
Huawei AR3600
Huawei AR510
Huawei NetEngine16EX
Huawei SRG1300
Huawei SRG2300
Huawei SRG3300
USG9500
Huawei USG9520
Huawei USG9560
Huawei DP300
Huawei SMC2.0
Huawei TE30
Huawei TE40
Huawei TE50
Huawei TE60
Huawei TP3206
Huawei IPS Module
Huawei NIP6300
Huawei NIP6600
Huawei NIP6800
Huawei NGFW Module
Huawei SVN5600
Huawei SVN5800
Huawei SVN5800-C
RSE6500
Huawei SeMG9811
Huawei Secospace USG6300
Huawei Secospace USG6500
Huawei Secospace USG6600
Huawei SoftCo
Huawei ViewPoint 8660
Huawei ViewPoint 9030
Huawei eSpace U1910
Huawei eSpace U1911
Huawei eSpace U1930
Huawei eSpace U1960
Huawei eSpace U1980
Huawei VP9660
Huawei eSpace U1981

Software vendor:
Huawei

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop when processing packets in the SIP module. A remote attacker can send a specially crafted message, consume all available system resources and cause denial of service conditions.

Install updates from vendor's website.

• https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200115-01-sip-en