Details of VAR-201803-1044

ID

VAR-201803-1044

CVE

CVE-2017-17168

TITLE

Huawei DP300 Input validation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-012874

DESCRIPTION

The CIDAM Protocol on some Huawei Products has multiple input validation vulnerabilities due to insufficient validation of specific messages when the protocol is implemented. An authenticated remote attacker could send a malicious message to a target system. Successful exploit could allow the attacker to tamper with business and make the system abnormal. Affected Huawei Products are: DP300 versions V500R002C00, V500R002C00B010, V500R002C00B011, V500R002C00B012, V500R002C00B013, V500R002C00B014, V500R002C00B017, V500R002C00B018, V500R002C00SPC100, V500R002C00SPC200, V500R002C00SPC300, V500R002C00SPC400, V500R002C00SPC500, V500R002C00SPC600, V500R002C00SPC800, V500R002C00SPC900, V500R002C00SPCa00; RP200 versions V500R002C00SPC200, V600R006C00, V600R006C00SPC200, V600R006C00SPC300, V600R006C00SPC400, V600R006C00SPC500; TE30 versions V100R001C10SPC300, V100R001C10SPC500, V100R001C10SPC600, V100R001C10SPC700B010, V500R002C00SPC200, V500R002C00SPC500, V500R002C00SPC600, V500R002C00SPC700, V500R002C00SPC900, V500R002C00SPCb00, V600R006C00, V600R006C00SPC200, V600R006C00SPC300, V600R006C00SPC400, V600R006C00SPC500; TE40 versions V500R002C00SPC600, V500R002C00SPC700, V500R002C00SPC900, V500R002C00SPCb00, V600R006C00, V600R006C00SPC200, V600R006C00SPC300, V600R006C00SPC400, V600R006C00SPC500; TE50 versions V500R002C00SPC600, V500R002C00SPC700, V500R002C00SPCb00, V600R006C00, V600R006C00SPC200, V600R006C00SPC300, V600R006C00SPC400, V600R006C00SPC500; TE60 versions V100R001C10, V100R001C10B001, V100R001C10B002, V100R001C10B010, V100R001C10B011, V100R001C10B012, V100R001C10B013, V100R001C10B014, V100R001C10B016, V100R001C10B017, V100R001C10B018, V100R001C10B019, V100R001C10SPC400, V100R001C10SPC500, V100R001C10SPC600, V100R001C10SPC700, V100R001C10SPC800B011, V100R001C10SPC900, V500R002C00, V500R002C00B010, V500R002C00B011, V500R002C00SPC100, V500R002C00SPC200, V500R002C00SPC300, V500R002C00SPC600, V500R002C00SPC700, V500R002C00SPC800, V500R002C00SPC900, V500R002C00SPCa00, V500R002C00SPCb00, V500R002C00SPCd00, V500R002C00SPCe00, V600R006C00, V600R006C00SPC100, V600R006C00SPC200, V600R006C00SPC300, V600R006C00SPC400, V600R006C00SPC500; eSpace U1981 version V200R003C20SPC900. Huawei DP300 Contains an input validation vulnerability.Tampering with information and disrupting service operations (DoS) There is a possibility of being put into a state. Huawei DP300 is a video conferencing terminal of China's Huawei company. CIDAM is one of the information transmission protocols. A remote attacker can exploit the vulnerability by sending maliciously constructed information to the target device to cause a denial of service (destroying normal business and system anomalies)

Trust: 2.25

sources: NVD: CVE-2017-17168 // JVNDB: JVNDB-2017-012874 // CNVD: CNVD-2017-38103 // VULHUB: VHN-108163

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2017-38103

AFFECTED PRODUCTS

vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00b018	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00spc100	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00spc200	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00spc300	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00spc400	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00spc500	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00spc600	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00spc800	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00spc900	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00spca00	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00	Trust: 1.8
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00b010	Trust: 1.8
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00b011	Trust: 1.8
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00b012	Trust: 1.8
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00b013	Trust: 1.8
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00b014	Trust: 1.8
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00b017	Trust: 1.8
vendor:	huawei	model:	dp300 v500r002c00	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00b010	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00b011	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00b012	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00b013	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00b014	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00b017	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00b018	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00spc100	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00spc200	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00spc300	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00spc400	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00spc50	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00spc600	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00spc800	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00spc900	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00spca00	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2017-38103 // JVNDB: JVNDB-2017-012874 // CNNVD: CNNVD-201712-872 // NVD: CVE-2017-17168

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-17168
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-17168
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2017-38103
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201712-872
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-108163
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-17168
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-38103
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-108163
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-17168
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.2
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2017-38103 // VULHUB: VHN-108163 // JVNDB: JVNDB-2017-012874 // CNNVD: CNNVD-201712-872 // NVD: CVE-2017-17168

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-108163 // JVNDB: JVNDB-2017-012874 // NVD: CVE-2017-17168

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201712-872

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201712-872

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-012874

PATCH

title:	huawei-sa-20171220-02-cidam	url:	http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171220-02-cidam-en	Trust: 0.8
title:	HuaweiDP300CIDAM protocol input verification vulnerability patch	url:	https://www.cnvd.org.cn/patchInfo/show/111721	Trust: 0.6
title:	Huawei DP300 Enter the fix for the verification vulnerability	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=77321	Trust: 0.6

sources: CNVD: CNVD-2017-38103 // JVNDB: JVNDB-2017-012874 // CNNVD: CNNVD-201712-872

EXTERNAL IDS

db:	NVD	id:	CVE-2017-17168	Trust: 3.1
db:	JVNDB	id:	JVNDB-2017-012874	Trust: 0.8
db:	CNNVD	id:	CNNVD-201712-872	Trust: 0.7
db:	CNVD	id:	CNVD-2017-38103	Trust: 0.6
db:	VULHUB	id:	VHN-108163	Trust: 0.1

sources: CNVD: CNVD-2017-38103 // VULHUB: VHN-108163 // JVNDB: JVNDB-2017-012874 // CNNVD: CNNVD-201712-872 // NVD: CVE-2017-17168

REFERENCES

url:	https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171220-02-cidam-en	Trust: 1.7
url:	http://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20171220-02-cidam-cn	Trust: 1.2
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-17168	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-17168	Trust: 0.8

sources: CNVD: CNVD-2017-38103 // VULHUB: VHN-108163 // JVNDB: JVNDB-2017-012874 // CNNVD: CNNVD-201712-872 // NVD: CVE-2017-17168

CREDITS

The vulnerability was discovered by Huawei internal testing.

Trust: 0.6

sources: CNNVD: CNNVD-201712-872

SOURCES

db:	CNVD	id:	CNVD-2017-38103
db:	VULHUB	id:	VHN-108163
db:	JVNDB	id:	JVNDB-2017-012874
db:	CNNVD	id:	CNNVD-201712-872
db:	NVD	id:	CVE-2017-17168

LAST UPDATE DATE

2024-11-23T21:53:20.877000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-38103	date:	2017-12-26T00:00:00
db:	VULHUB	id:	VHN-108163	date:	2019-12-23T00:00:00
db:	JVNDB	id:	JVNDB-2017-012874	date:	2018-04-26T00:00:00
db:	CNNVD	id:	CNNVD-201712-872	date:	2019-12-27T00:00:00
db:	NVD	id:	CVE-2017-17168	date:	2024-11-21T03:17:38.060

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2017-38103	date:	2017-12-26T00:00:00
db:	VULHUB	id:	VHN-108163	date:	2018-03-09T00:00:00
db:	JVNDB	id:	JVNDB-2017-012874	date:	2018-04-26T00:00:00
db:	CNNVD	id:	CNNVD-201712-872	date:	2017-12-25T00:00:00
db:	NVD	id:	CVE-2017-17168	date:	2018-03-09T17:29:00.687