Security Advisory - DoS Vulnerability in the OceanStor 5800

The OceanStor 5800 Storage Systems are mid-range storage products newly developed by Huawei. Huawei Oceanstor 5800 has a DoS vulnerability. An attacker may send massive abnormal HTTP packets to the device. As a result, the HTTP service generates a high CPU usage, and the device denies services...

Security Advisory - Insufficient Input Validation Vulnerability in the FusionInsight

The FusionInsight has an insufficient input validation vulnerability. An attacker may exploit it to gain the root privilege of the Linux system where the software resides and control the operating system cluster. Vulnerability ID: HWPSIRT-2016-06010 This vulnerability has been assigned Common...

Security Advisory - Token Transmission in Plaintext Vulnerability in OceanStor Products

The OceanStor 5300 V3/5500 V3/5600 V3/5800 V3/6800 V3/ 18800 V3/18500 V3 are mid-range and high-end storage products newly developed by Huawei Technologies Co., Ltd Huawei for short. This series is ideal for processing existing storage applications and follows the future development trend of...

Security Advisory - Memory Leak Vulnerability in Several Huawei Products

There is a vulnerability in several Huawei devices: USG series, NGFW module, IPS module, NIP series and AntiDDoS8000. A memory leak vulnerability exists in these products. In hot standby networking where two devices are not directly connected, an attacker can craft a malformed packet, which...

Security Advisory - Memory Leak Vulnerability in Some Huawei Products

Some Huawei products have a memory leak vulnerability. When the packet processing module of the device processes abnormal Multiprotocol Label Switching MPLS packets sent by attackers, the module repeatedly applies for memory, resulting in memory exhaustion in persistent attacks. Vulnerability ID:...

Security Advisory - Several Vulnerabilities in Huawei Honor Routers

Huawei Honor routers do not verify some parameters. As a result, sensitive information may be displayed, causing the leak of sensitive information. Vulnerability ID: HWPSIRT-2016-05053 This vulnerability has been assigned Common Vulnerabilities and Exposures CVE ID: CVE-2016-5367. Huawei Honor...

Security Advisory - Buffer Overflow Vulnerability in Some Videoconference Products

The VP9660, VP9650, and VP9630 are Multipoint Control Units MCUs. As the core devices in videoconferencing systems, they provide endpoint access and conferencing functions. The three devices use the same software, namely, HUAWEI VP9660. The RSE6500 is a multimedia video conferencing server with...

Security Advisory - Apache Struts2 Remote Code Execution Vulnerability in Huawei Products

Apache Struts2 released a remote code execution vulnerability in S2-032 on the official website,when Dynamic Method Invocation DMI is enabled, an exploit could allow the attacker to cause remote code execution.Vulnerability ID: HWPSIRT-2016-04052 This vulnerability has been assigned a Common...

Security Advisory - Multiple Vulnerabilities in Huawei Smart Phones

Huawei smart phones have two authentication bypass vulnerabilities. An attacker may tricks users into installing a malicious app, and the app could exploit these vulnerabilities to bypass the permission checks, controlling partial module functions Vulnerability ID: HWPSIRT-2016-03013, and deletin...

Security Advisory - Information Leak Vulnerability in Huawei Smart Phones

Some Huawei smartphones have an information leak vulnerability due to improper security status verification. An attacker may use a rogue base station to obtain information about subscribers' signal strengths. Vulnerability ID: HWPSIRT-2015-12007 This vulnerability has been assigned Common...

Security Advisory - Two Buffer Overflow Vulnerabilities in Wi-Fi Driver of Huawei Smart Phone

Wi-Fi driver of some Huawei products have two buffer overflow vulnerabilities due to the lack of a parameters check. An attacker may trick a user into installing a malicious application, and the application can send given parameter to Wi-Fi driver to crash the system or escalate user privilege...

Security Advisory - Buffer Overflow Vulnerability in Huawei Several Products

There is a vulnerability in several Huawei devices: USG series and NGFW Module. These products have a buffer overflow vulnerability in the Smart DNS function. An attacker may craft a malformed packet with illegitimate parameters, leading to denial of service or the potential execution of arbitrar...

Security Advisory - Buffer Overflow Vulnerability in Huawei Several Products

There is a vulnerability in several Huawei devices: USG series, NGFW Module, IPS Module, NIP series and AntiDDoS8000. These products have a buffer overflow vulnerability in the Application Specific Packet Filtering ASPF function. An attacker may craft a malformed packet with illegitimate...

Security Advisory - XSS Vulnerability in the Email App of Huawei Smartphone

There is a vulnerability due to the lack of output encoding for some particular characters in the email APP built in the affected Smart Phones. A successful exploitation of the vulnerability could allow an unauthenticated remote attacker to perform a cross-site scripting XSS attack and lead to...

Security Advisory - Input Validation Vulnerability in Multiple Huawei Products

There is an input validation vulnerability in Multiple Huawei products, when the debug switch on the device is enabled, an attacker with network access may exploit this vulnerability by crafting malformed DNS packets and sending them to the target device. As for the lacking of input validation, a...

Security Advisory - Permission Control Vulnerability in the HiSuite

The HiSuite is mobile assistant software on PCs. The HiSuite has a permission control vulnerability. An unauthenticated attacker who has access to the LAN could exploit the vulnerability to install any app on the mobile phone. Vulnerability ID: HWPSIRT-2016-03034 This vulnerability has been...

Security Advisory - Cross-Site Script Vulnerability in Policy Center

Huawei Policy Center dynamically allocates network resources in a unified manner, enabling the network to provide services with more agility. A cross-site scripting XSS vulnerability exists in Huawei Policy Center. The vulnerability is caused by incomplete input validation. An attacker with a...

Security Advisory - Vulnerability of No SSL Certificate Validation in Huawei Wear App and Hilink APP

A vulnerability of no SSL certificate validation exists in Huawei Wear APP and Hilink APP. These APPs still load the web page when accessing a website whose SSL certificate has issues, which brings risks to users. Vulnerability ID: HWPSIRT-2016-03008 This vulnerability has been assigned a Common...

Security Advisory - Input Validation Vulnerability in Huawei AR3200

There is an input validation vulnerability in Huawei AR3200, which allows an attacker who logs into the device to send malformed packets, causing the AR3200 occasionally restart and a Denial of Service. Vulnerability ID: HWPSIRT-2015-10047 This vulnerability has been assigned Common Vulnerabiliti...

Security Advisory - Integrity Protection Vulnerability in Huawei E3276s Products

The Huawei E3276s products have an integrity protection vulnerability. As a result, user communication can be intercepted, spoofed, and injected with traffic. Vulnerability ID: HWPSIRT-2016-02019 This vulnerability has been assigned a Common Vulnerabilities and Exposures CVE ID: CVE-2016-3676...

Security Advisory - OpenSSL DROWN Security Vulnerability

OpenSSL official website released a security advisory about a high risk vulnerability dubbed DROWN CVE-2016-0800 on March 1st, 2016. The vulnerability is: Once SSLv2 is used, an attacker can capture packets or act as a man in the middle MIMT to obtain SSL session keys, decrypt encrypted traffic,...

Security Advisory - DoS Vulnerability in Huawei S Series Switches

Multiple models of Huawei S series switches have a DoS vulnerability. When an attacker controls or impersonates a server connected to a switch, the attacker can send malicious attack packets to the switch to cause it to restart and make it unavailable. Vulnerability ID: HWPSIRT-2015-12022 This...

Security Advisory - DoS Vulnerability in FusionCompute

FusionCompute is a cloud OS software for virtualization of hardware resources and central management of virtual, service, and user resources. A DoS vulnerability exists in FusionCompute. An attacker can send abnormal packets as an ordinary user to exhaust system resources and make services...

Security Advisory - SQL Injection Vulnerability in Policy Center Product

Huawei Policy Center dynamically allocates network resources in a unified manner, enabling the network to provide services with more agility. The Policy Center has a SQL injection vulnerability. After logging in to the target device, a remote attacker could exploit this vulnerability by grafting...

Security Advisory - GNU Glibc Buffer Overflow Security Vulnerability

Google security research team disclosed a buffer overflow vulnerability in GNU C library glibc CVE-2015-7547 on February 16, 2016, remote attackers can exploit the vulnerability to execute arbitrary code on an affected device. Vulnerability ID: HWPSIRT-2016-02018 This vulnerability has been...

Security Advisory - GNU Glibc Buffer Overflow Security Vulnerability

Google security research team disclosed a buffer overflow vulnerability in GNU C library glibc CVE-2015-7547 on February 16, 2016, remote attackers can exploit the vulnerability to execute arbitrary code on an affected device. Vulnerability ID: HWPSIRT-2016-02018 This vulnerability has been...

Security Advisory - DLL Hijacking Vulnerability on Huawei UTPS

Huawei UTPS software runs on USB modem products to manage data cards. It provides data card setting, dial-up setting, message sending and receiving, and contacts management functions. UTPS contains a DLL hijacking vulnerability. This vulnerability exists due to some DLL file is loaded by UTPS...

Security Advisory - Chunked HTTP Packet L7-Parsing Vulnerability in Huawei Products

There is a vulnerability in several Huawei products: AR series, NetEngine16EX and SRG series. If the Layer 7 HTTP chunked packet paring function is enabled on these devices, an attacker could exploit the vulnerability to craft a special HTTP chunked packet and send it to the target device to caus...

Security Advisory - Information Disclosure Vulnerability in the DSM

Huawei Document Security Management DSM provides document permission control. A vulnerability in the permission control module of DSM could lead to incorrect control over specific permissions on encrypted documents. Vulnerability ID：HWPSIRT-2015-12030 This vulnerability has been assigned Common...

Security Advisory - Permission Control Vulnerability in Some Huawei Switches

Some Huawei switches have a permission control vulnerability. If a switch enables Authentication, Authorization and Accounting AAA for permission control and user permissions are not appropriate, AAA users may obtain the virtual type terminal VTY access permission, resulting in privilege...

Security Advisory - Privilege Escalation Vulnerability in Huawei Policy Center

Huawei Policy Center dynamically allocates network resources in a unified manner, enabling the network to provide services with more agility. Huawei Policy Center has a privilege escalation vulnerability. An attacker could log in to the device as a low-privilege user, craft a URL that contains...

Security Advisory - XSS Vulnerability in Huawei Agile Controller-Campus

A reflected cross-site scripting XSS vulnerability exists in some portal authentication page of the Agile Controller-Campus. When an attacker sends a malicious link to the system, the user is online and clicks on the link, XSS occurs. Therefore, the attacker may obtain the administrator privilege...

Security Advisory - Integer Overflow Vulnerability in Graphics Driver of Huawei Smart Phone

Graphics drivers of some Huawei smart phones have a integer overflow issue due to the lack of a parameters check, which lead to a further heap overflow vulnerability. An attacker may trick a user into installing a malicious application and application can exploit the vulnerability to crash the...

Security Advisory - Input Validation Vulnerability in the Video0 Driver of Huawei Smart Phones

There is an input validation vulnerability in Video0 driver of some Huawei smart phones. An attacker may trick a user into installing a malicious application and application can exploit the vulnerability to print stack memory content or crash the system when the application accesses invalid...

Security Advisory - DNS Static Source Port Vulnerability in Huawei E5151 and E5186

Huawei E5151 and E5186 allow DNS query packets using the static source port. Attackers can exploit the vulnerability to launch DNS Spoofing Attack and compromise the normal service of DNS. Vulnerability ID: HWPSIRT-2015-10001 This vulnerability has been assigned Common Vulnerabilities and Exposur...

Security Advisory - Memory Leak Vulnerability in Huawei Switches

When serving as an HTTPS or SFTP server, the Huawei switch stores a user's SSL session information in the memory even after the user logs out. If the memory occupied by the SSL session information exceeds the allocated amount, memory leak occurs, causing the device to restart. Vulnerability ID:...

Security Advisory - DoS Vulnerability in Huawei CE Series Switches

Huawei CE series switches are high-performance switches designed for next-generation data centers. The CE series switches have a DoS vulnerability. An attacker logs in to the switches multiple times using a non-administrator account through a specific protocol to exploit this vulnerability...

Security Advisory - DoS Vulnerability in Graphics Driver of Huawei Smart Phones

There is a Denial of Service DoS vulnerability in Graphics driver of some Huawei smart phones. An attacker may trick a user into installing a malicious application and the application can make semaphore deadlock issue, which causes the system to crash. Vulnerability ID: HWPSIRT-2015-12015 This...

Security Advisory - ICMPv6 DoS Vulnerability in Huawei Switches

Multiple Huawei switches improperly release memory for ICMPv6 packets of a specific type. After the switch receives a specially crafted ICMPv6 packet, memory leak occurs, causing the switch to restart if the allocated memory is exhausted. Vulnerability ID: HWPSIRT-2015-11034 This vulnerability ha...

Security Advisory - Information Exposure Vulnerability in Huawei Ethernet Switch

There is an information exposure vulnerability in Huawei Ethernet switch. When uploading files to some directory, the user needs to enter the username and password. However, the system does not mask passwords. As a result, the password entered is displayed in plain text, leading to password leaks...

Security Advisory - DoS Vulnerabilities in Driver of Huawei Smart Phones

There is a Denial of Service DoS vulnerability in ION driver and Maximsmartpadev driver in some Huawei smart phones respectively. An attacker may trick a user into installing a malicious application and the application can access invalid address of driver to crash the system. Vulnerability ID:...

Security Advisory - Integer Overflowing Vulnerability in Huawei Smart Phone

An integer overflowing vulnerability exists in a Huawei smart phone. The attacker tricks the user to install a malicious application to obtain system or camera privilege and exploit the vulnerability to obtain the root privilege. Vulnerability ID: HWPSIRT-2015-11025 This vulnerability has been...

Security Advisory - Multiple Security Vulnerabilities in Driver of Huawei Smart Phones

There are multiple security vulnerabilities in driver of some Huawei smart phones. There are two interface access control vulnerabilities in Graphics driver. An attacker may trick a user into installing a malicious application and application can exploit the vulnerability to crash the system or...

Security Advisory - Input Check Vulnerability in Huawei Smart Phone

There is a vulnerability in a Huawei smart phone that does not validate input parameter. The attacker tricks the user to install a malicious application to obtain system or camera privilege and then can exploit the vulnerability to make the product system panic. Vulnerability ID: HWPSIRT-2015-110...

Security Advisory - Buffer Overflow Vulnerability in HIFI Driver of Huawei Smart Phone

HIFI driver of some Huawei products have a buffer overflow vulnerability due to the lack of a parameters check. An attacker may trick a user into installing a malicious application, and the application can send given parameter to HIFI driver to crash the system or escalate user privilege...

Security Advisory - DoS Vulnerabilities in JPU Driver of Huawei Products

There are two Denial of Service DoS vulnerabilities in Joint Photographic Experts Group Processing Unit JPU drivers of some Huawei products. An attacker who tricks a user into installing a malicious application which has the system or camera permission may input invalid parameters into the JPU...

Security Advisory - Two DoS Vulnerabilities in the HIFI Driver of Huawei Smart Phone

Some Huawei smart phones have two DoS Denial of Service security vulnerabilities in the HIFI driver. An attacker may trick a user into installing a malicious application and use the application to input null pointer as parameter, which can reboot the system. Vulnerability ID: HWPSIRT-2015-10038 a...

Security Advisory - Baidu WormHole Vulnerability in Huawei Mobile Phones

Preinstalled Baidu apps in certain Huawei mobile phones have the WormHole vulnerability. An attacker can exploit this vulnerability to read information about, modify data in, or take control over the affected mobile phones. Vulnerability ID: HWPSIRT-2015-10045 Huawei has released software updates...

Security Advisory - DoS Vulnerability in Huawei LogCenter

Huawei LogCenter has a DoS vulnerability. After login to the LogCenter, an attacker can add abnormal device information to the log collection module. The LogCenter system does not verify input device information. As a result, the log collection module denies services. Vulnerability ID:...

Security Advisory - Privilege Escalation Vulnerability in Huawei LogCenter

Huawei LogCenter has a privilege escalation vulnerability. After login to the LogCenter, a low privileged attacker can tamper with requests using a tool and submit the request to the server for privilege escalation, affecting some system functions. Vulnerability ID: HWPSIRT-2015-09020 This...