7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.974 High
EPSS
Percentile
99.9%
This security advisory (SA) describes the impact of 7 OpenSSL vulnerabilities discovered in third-party software.
The vulnerabilities are referenced in this document as follows:
1.SSL/TLS Man-in-the-Middle Vulnerability (CVE-2014-0224). An unauthenticated, remote attacker with the ability to intercept traffic between an affected client and server could successfully execute a man-in-the-middle attack.(Vulnerability ID: HWPSIRT-2014-0604)
The NVD link is: <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224>
2.DTLS Recursion Flaw Vulnerability (CVE-2014-0221). An unauthenticated, remote attacker that can convince an affected client to connect to an attacker-controlled server could send an affected device a crafted DTLS packet. This could result in a partial or complete DoS condition on the affected device. (Vulnerability ID: HWPSIRT-2014-0605)
The NVD link is: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0221
3.DTLS Invalid Fragment Vulnerability (CVE-2014-0195). An unauthenticated, remote attacker could send a crafted DTLS packet to an affected device designed to trigger a buffer overflow condition. This could allow the attacker to gain the ability to execute arbitrary code with elevated privileges. (Vulnerability ID: HWPSIRT-2014-0606)
The NVD link is: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0195
4.SSL_MODE_RELEASE_BUFFERS NULL Pointer Dereference Vulnerability (CVE-2014-0198). An unauthenticated, remote attacker could submit a malicious request designed to trigger a NULL pointer dereference. This could result in a partial or complete DoS condition on the affected device. (Vulnerability ID: HWPSIRT-2014-0607)
The NVD link is: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0198
5.SSL_MODE_RELEASE_BUFFERS Session Injection or Denial of Service Vulnerability (CVE-2010-5298). An unauthenticated, remote attacker could submit a malicious request designed to inject content into a parallel context or trigger a DoS condition. (Vulnerability ID: HWPSIRT-2014-0608)
The NVD link is: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5298
6.Anonymous ECDH Denial of Service Vulnerability (CVE-2014-3470). An unauthenticated, remote attacker that can convince an affected client to connect to an attacker-controlled server could submit a crafted certificate designed to trigger a NULL pointer dereference. If successful, the attacker could create a DoS condition. (Vulnerability ID: HWPSIRT-2014-0609)
The NVD link is: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3470
7.ECDSA NONCE Side-Channel Recovery Attack Vulnerability (CVE-2014-0076). An attacker with the ability to run an application on an affected device could recover portions of ECDSA cryptographic materials via a side-channel attack. This could allow the attacker to reconstruct encryption keys used for the protection of network communications. (Vulnerability ID: HWPSIRT-2014-0610)
The NVD link is: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0076
The 7 vulnerabilities affect the Huawei products that use OpenSSL. Some Product have provided the fixed version.
7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.974 High
EPSS
Percentile
99.9%