Details of VAR-201803-0194

ID

VAR-201803-0194

CVE

CVE-2017-17304

TITLE

Huawei DP300 Input validation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-012884

DESCRIPTION

The CIDAM Protocol on some Huawei Products has multiple input validation vulnerabilities due to insufficient validation of specific messages when the protocol is implemented. An authenticated remote attacker could send a malicious message to a target system. Successful exploit could allow the attacker to tamper with business and make the system abnormal. Affected Huawei Products are: DP300 versions V500R002C00, V500R002C00B010, V500R002C00B011, V500R002C00B012, V500R002C00B013, V500R002C00B014, V500R002C00B017, V500R002C00B018, V500R002C00SPC100, V500R002C00SPC200, V500R002C00SPC300, V500R002C00SPC400, V500R002C00SPC500, V500R002C00SPC600, V500R002C00SPC800, V500R002C00SPC900, V500R002C00SPCa00; RP200 versions V500R002C00SPC200, V600R006C00, V600R006C00SPC200, V600R006C00SPC300, V600R006C00SPC400, V600R006C00SPC500; TE30 versions V100R001C10SPC300, V100R001C10SPC500, V100R001C10SPC600, V100R001C10SPC700B010, V500R002C00SPC200, V500R002C00SPC500, V500R002C00SPC600, V500R002C00SPC700, V500R002C00SPC900, V500R002C00SPCb00, V600R006C00, V600R006C00SPC200, V600R006C00SPC300, V600R006C00SPC400, V600R006C00SPC500; TE40 versions V500R002C00SPC600, V500R002C00SPC700, V500R002C00SPC900, V500R002C00SPCb00, V600R006C00, V600R006C00SPC200, V600R006C00SPC300, V600R006C00SPC400, V600R006C00SPC500; TE50 versions V500R002C00SPC600, V500R002C00SPC700, V500R002C00SPCb00, V600R006C00, V600R006C00SPC200, V600R006C00SPC300, V600R006C00SPC400, V600R006C00SPC500; TE60 versions V100R001C10, V100R001C10B001, V100R001C10B002, V100R001C10B010, V100R001C10B011, V100R001C10B012, V100R001C10B013, V100R001C10B014, V100R001C10B016, V100R001C10B017, V100R001C10B018, V100R001C10B019, V100R001C10SPC400, V100R001C10SPC500, V100R001C10SPC600, V100R001C10SPC700, V100R001C10SPC800B011, V100R001C10SPC900, V500R002C00, V500R002C00B010, V500R002C00B011, V500R002C00SPC100, V500R002C00SPC200, V500R002C00SPC300, V500R002C00SPC600, V500R002C00SPC700, V500R002C00SPC800, V500R002C00SPC900, V500R002C00SPCa00, V500R002C00SPCb00, V500R002C00SPCd00, V500R002C00SPCe00, V600R006C00, V600R006C00SPC100, V600R006C00SPC200, V600R006C00SPC300, V600R006C00SPC400, V600R006C00SPC500; eSpace U1981 version V200R003C20SPC900. Huawei DP300 Contains an input validation vulnerability.Tampering with information and disrupting service operations (DoS) There is a possibility of being put into a state. Huawei DP300 is a video conferencing terminal of China's Huawei company. CIDAM is one of the information transmission protocols. A remote attacker can exploit the vulnerability by sending maliciously constructed information to the target device to cause a denial of service (destroying normal business and system anomalies)

Trust: 2.34

sources: NVD: CVE-2017-17304 // JVNDB: JVNDB-2017-012884 // CNVD: CNVD-2017-38106 // VULHUB: VHN-108313 // VULMON: CVE-2017-17304

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2017-38106

AFFECTED PRODUCTS

vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00b018	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00spc100	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00spc200	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00spc300	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00spc400	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00spc500	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00spc600	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00spc800	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00spc900	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00spca00	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00	Trust: 1.8
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00b010	Trust: 1.8
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00b011	Trust: 1.8
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00b012	Trust: 1.8
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00b013	Trust: 1.8
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00b014	Trust: 1.8
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00b017	Trust: 1.8
vendor:	huawei	model:	dp300 v500r002c00	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00b010	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00b011	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00b012	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00b013	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00b014	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00b017	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00b018	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00spc100	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00spc200	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00spc300	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00spc400	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00spc50	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00spc600	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00spc800	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00spc900	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00spca00	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2017-38106 // JVNDB: JVNDB-2017-012884 // CNNVD: CNNVD-201712-875 // NVD: CVE-2017-17304

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-17304
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-17304
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2017-38106
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201712-875
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-108313
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2017-17304
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-17304
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2017-38106
severity:	HIGH
baseScore:	9.4
vectorString:	AV:N/AC:L/AU:N/C:N/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	9.2
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-108313
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-17304
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.2
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2017-38106 // VULHUB: VHN-108313 // VULMON: CVE-2017-17304 // JVNDB: JVNDB-2017-012884 // CNNVD: CNNVD-201712-875 // NVD: CVE-2017-17304

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-108313 // JVNDB: JVNDB-2017-012884 // NVD: CVE-2017-17304

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201712-875

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201712-875

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-012884

PATCH

title:	huawei-sa-20171220-02-cidam	url:	http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171220-02-cidam-en	Trust: 0.8
title:	Patch for HuaweiDP300CIDAM Protocol Input Verification Vulnerability (CNVD-2017-38106)	url:	https://www.cnvd.org.cn/patchInfo/show/111715	Trust: 0.6
title:	Huawei DP300 Enter the fix for the verification vulnerability	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=77324	Trust: 0.6
title:	Huawei Security Advisories: Security Advisory - Multiple Input Validation Vulnerabilities in CIDAM Protocol on Huawei Products	url:	https://vulmon.com/vendoradvisory?qidtp=huawei_security_advisories&qid=caa656e53482335ae35993a3d60171b2	Trust: 0.1

sources: CNVD: CNVD-2017-38106 // VULMON: CVE-2017-17304 // JVNDB: JVNDB-2017-012884 // CNNVD: CNNVD-201712-875

EXTERNAL IDS

db:	NVD	id:	CVE-2017-17304	Trust: 3.2
db:	JVNDB	id:	JVNDB-2017-012884	Trust: 0.8
db:	CNNVD	id:	CNNVD-201712-875	Trust: 0.7
db:	CNVD	id:	CNVD-2017-38106	Trust: 0.6
db:	VULHUB	id:	VHN-108313	Trust: 0.1
db:	VULMON	id:	CVE-2017-17304	Trust: 0.1

sources: CNVD: CNVD-2017-38106 // VULHUB: VHN-108313 // VULMON: CVE-2017-17304 // JVNDB: JVNDB-2017-012884 // CNNVD: CNNVD-201712-875 // NVD: CVE-2017-17304

REFERENCES

url:	https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171220-02-cidam-en	Trust: 1.9
url:	http://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20171220-02-cidam-cn	Trust: 1.2
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-17304	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-17304	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/20.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2017-38106 // VULHUB: VHN-108313 // VULMON: CVE-2017-17304 // JVNDB: JVNDB-2017-012884 // CNNVD: CNNVD-201712-875 // NVD: CVE-2017-17304

CREDITS

The vulnerability was discovered by Huawei internal testing.

Trust: 0.6

sources: CNNVD: CNNVD-201712-875

SOURCES

db:	CNVD	id:	CNVD-2017-38106
db:	VULHUB	id:	VHN-108313
db:	VULMON	id:	CVE-2017-17304
db:	JVNDB	id:	JVNDB-2017-012884
db:	CNNVD	id:	CNNVD-201712-875
db:	NVD	id:	CVE-2017-17304

LAST UPDATE DATE

2024-11-23T22:22:12.076000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-38106	date:	2017-12-26T00:00:00
db:	VULHUB	id:	VHN-108313	date:	2019-12-23T00:00:00
db:	VULMON	id:	CVE-2017-17304	date:	2019-12-23T00:00:00
db:	JVNDB	id:	JVNDB-2017-012884	date:	2018-04-26T00:00:00
db:	CNNVD	id:	CNNVD-201712-875	date:	2019-12-27T00:00:00
db:	NVD	id:	CVE-2017-17304	date:	2024-11-21T03:17:47.813

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2017-38106	date:	2017-12-26T00:00:00
db:	VULHUB	id:	VHN-108313	date:	2018-03-09T00:00:00
db:	VULMON	id:	CVE-2017-17304	date:	2018-03-09T00:00:00
db:	JVNDB	id:	JVNDB-2017-012884	date:	2018-04-26T00:00:00
db:	CNNVD	id:	CNNVD-201712-875	date:	2017-12-25T00:00:00
db:	NVD	id:	CVE-2017-17304	date:	2018-03-09T17:29:01.813