Security Advisory - Two Vulnerabilities in Some Huawei CPE Devices

2017-09-20T00:00:00
ID HUAWEI-SA-20170920-01-CPE
Type huawei
Reporter Huawei Technologies
Modified 2017-09-20T00:00:00

Description

The outdoor unit of some Customer Premise Equipment (CPE) has a no authentication vulnerability on a certain port. After accessing the network between the indoor and outdoor units of the CPE, an attacker can deliver commands to the specific port of the outdoor unit and execute them without authentication. Successful exploit could allow the attacker to take control over the outdoor unit. (Vulnerability ID: HWPSIRT-2017-06244) This vulnerability has been assigned a CVE ID: CVE-2017-8155. The outdoor unit of some CPE has a no authentication vulnerability on the serial port. An attacker can access the serial port on the circuit board of the outdoor unit and log in to the CPE without authentication. Successful exploit could allow the attacker to take control over the outdoor unit. (Vulnerability ID: HWPSIRT-2017-06245) This vulnerability has been assigned a CVE ID: CVE-2017-8156. Huawei has released software updates to fix these vulnerabilities. This advisory is available at the following link: http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170920-01-cpe-en