Lucene search

[email protected]CVE-2021-37127

HistoryOct 27, 2021 - 1:15 a.m.

CVE-2021-37127

2021-10-2701:15:07

CWE-347

[email protected]

web.nvd.nist.gov

cve-2021-37127

signature management vulnerability

huawei products

firmware update

system file overwrite

nvd

9 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

6.9 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

42.9%

JSON

There is a signature management vulnerability in some huawei products. An attacker can forge signature and bypass the signature check. During firmware update process, successful exploit this vulnerability can cause the forged system file overwrite the correct system file. Affected product versions include:iManager NetEco V600R010C00CP2001,V600R010C00CP2002,V600R010C00SPC100,V600R010C00SPC110,V600R010C00SPC120,V600R010C00SPC200,V600R010C00SPC210,V600R010C00SPC300;iManager NetEco 6000 V600R009C00SPC100,V600R009C00SPC110,V600R009C00SPC120,V600R009C00SPC190,V600R009C00SPC200,V600R009C00SPC201,V600R009C00SPC202,V600R009C00SPC210.

Affected configurations

NVD

Node

huaweiimanager_neteco_6000_firmwareMatchv600r010c00cp2001

huaweiimanager_neteco_6000_firmwareMatchv600r010c00cp2002

huaweiimanager_neteco_6000_firmwareMatchv600r010c00spc100

huaweiimanager_neteco_6000_firmwareMatchv600r010c00spc110

huaweiimanager_neteco_6000_firmwareMatchv600r010c00spc120

huaweiimanager_neteco_6000_firmwareMatchv600r010c00spc200

huaweiimanager_neteco_6000_firmwareMatchv600r010c00spc210

huaweiimanager_neteco_6000_firmwareMatchv600r010c00spc300

AND

huaweiimanager_neteco_6000Match-

Node

huaweiimanager_neteco_firmwareMatchv600r009c00spc100

huaweiimanager_neteco_firmwareMatchv600r009c00spc110

huaweiimanager_neteco_firmwareMatchv600r009c00spc120

huaweiimanager_neteco_firmwareMatchv600r009c00spc190

huaweiimanager_neteco_firmwareMatchv600r009c00spc200

huaweiimanager_neteco_firmwareMatchv600r009c00spc201

huaweiimanager_neteco_firmwareMatchv600r009c00spc202

huaweiimanager_neteco_firmwareMatchv600r009c00spc210

AND

huaweiimanager_netecoMatch-

CPENameOperatorVersion
huawei:imanager_neteco_6000_firmwarehuawei imanager neteco 6000 firmwareeqv600r010c00cp2001
huawei:imanager_neteco_6000_firmwarehuawei imanager neteco 6000 firmwareeqv600r010c00cp2002
huawei:imanager_neteco_6000_firmwarehuawei imanager neteco 6000 firmwareeqv600r010c00spc100
huawei:imanager_neteco_6000_firmwarehuawei imanager neteco 6000 firmwareeqv600r010c00spc110
huawei:imanager_neteco_6000_firmwarehuawei imanager neteco 6000 firmwareeqv600r010c00spc120
huawei:imanager_neteco_6000_firmwarehuawei imanager neteco 6000 firmwareeqv600r010c00spc200
huawei:imanager_neteco_6000_firmwarehuawei imanager neteco 6000 firmwareeqv600r010c00spc210
huawei:imanager_neteco_6000_firmwarehuawei imanager neteco 6000 firmwareeqv600r010c00spc300

CPE	Name	Operator	Version
huawei:imanager_neteco_6000_firmware	huawei imanager neteco 6000 firmware	eq	v600r010c00cp2001
huawei:imanager_neteco_6000_firmware	huawei imanager neteco 6000 firmware	eq	v600r010c00cp2002
huawei:imanager_neteco_6000_firmware	huawei imanager neteco 6000 firmware	eq	v600r010c00spc100
huawei:imanager_neteco_6000_firmware	huawei imanager neteco 6000 firmware	eq	v600r010c00spc110
huawei:imanager_neteco_6000_firmware	huawei imanager neteco 6000 firmware	eq	v600r010c00spc120
huawei:imanager_neteco_6000_firmware	huawei imanager neteco 6000 firmware	eq	v600r010c00spc200
huawei:imanager_neteco_6000_firmware	huawei imanager neteco 6000 firmware	eq	v600r010c00spc210
huawei:imanager_neteco_6000_firmware	huawei imanager neteco 6000 firmware	eq	v600r010c00spc300

CNA Affected

[
  {
    "product": "iManager NetEco;iManager NetEco 6000",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "V600R010C00CP2001,V600R010C00CP2002,V600R010C00SPC100,V600R010C00SPC110,V600R010C00SPC120,V600R010C00SPC200,V600R010C00SPC210,V600R010C00SPC300"
      },
      {
        "status": "affected",
        "version": "V600R009C00SPC100,V600R009C00SPC110,V600R009C00SPC120,V600R009C00SPC190,V600R009C00SPC200,V600R009C00SPC201,V600R009C00SPC202,V600R009C00SPC210"
      }
    ]
  }
]

References

www.huawei.com/en/psirt/security-advisories/huawei-sa-20211020-01-signature-en

9 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

6.9 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

42.9%

JSON

Related for CVE-2021-37127

cnvd1 prion1 cvelist1 huawei1 nvd1