Details of VAR-201803-1045

ID

VAR-201803-1045

CVE

CVE-2017-17169

TITLE

Huawei DP300 Input validation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-012875

DESCRIPTION

The CIDAM Protocol on some Huawei Products has multiple input validation vulnerabilities due to insufficient validation of specific messages when the protocol is implemented. An authenticated remote attacker could send a malicious message to a target system. Successful exploit could allow the attacker to tamper with business and make the system abnormal. Affected Huawei Products are: DP300 versions V500R002C00, V500R002C00B010, V500R002C00B011, V500R002C00B012, V500R002C00B013, V500R002C00B014, V500R002C00B017, V500R002C00B018, V500R002C00SPC100, V500R002C00SPC200, V500R002C00SPC300, V500R002C00SPC400, V500R002C00SPC500, V500R002C00SPC600, V500R002C00SPC800, V500R002C00SPC900, V500R002C00SPCa00; RP200 versions V500R002C00SPC200, V600R006C00, V600R006C00SPC200, V600R006C00SPC300, V600R006C00SPC400, V600R006C00SPC500; TE30 versions V100R001C10SPC300, V100R001C10SPC500, V100R001C10SPC600, V100R001C10SPC700B010, V500R002C00SPC200, V500R002C00SPC500, V500R002C00SPC600, V500R002C00SPC700, V500R002C00SPC900, V500R002C00SPCb00, V600R006C00, V600R006C00SPC200, V600R006C00SPC300, V600R006C00SPC400, V600R006C00SPC500; TE40 versions V500R002C00SPC600, V500R002C00SPC700, V500R002C00SPC900, V500R002C00SPCb00, V600R006C00, V600R006C00SPC200, V600R006C00SPC300, V600R006C00SPC400, V600R006C00SPC500; TE50 versions V500R002C00SPC600, V500R002C00SPC700, V500R002C00SPCb00, V600R006C00, V600R006C00SPC200, V600R006C00SPC300, V600R006C00SPC400, V600R006C00SPC500; TE60 versions V100R001C10, V100R001C10B001, V100R001C10B002, V100R001C10B010, V100R001C10B011, V100R001C10B012, V100R001C10B013, V100R001C10B014, V100R001C10B016, V100R001C10B017, V100R001C10B018, V100R001C10B019, V100R001C10SPC400, V100R001C10SPC500, V100R001C10SPC600, V100R001C10SPC700, V100R001C10SPC800B011, V100R001C10SPC900, V500R002C00, V500R002C00B010, V500R002C00B011, V500R002C00SPC100, V500R002C00SPC200, V500R002C00SPC300, V500R002C00SPC600, V500R002C00SPC700, V500R002C00SPC800, V500R002C00SPC900, V500R002C00SPCa00, V500R002C00SPCb00, V500R002C00SPCd00, V500R002C00SPCe00, V600R006C00, V600R006C00SPC100, V600R006C00SPC200, V600R006C00SPC300, V600R006C00SPC400, V600R006C00SPC500; eSpace U1981 version V200R003C20SPC900. Huawei DP300 Contains an input validation vulnerability.Tampering with information and disrupting service operations (DoS) There is a possibility of being put into a state. Huawei DP300 is a video conferencing terminal of China's Huawei company. CIDAM is one of the information transmission protocols. A remote attacker can exploit the vulnerability by sending maliciously constructed information to the target device to cause a denial of service (destroying normal business and system anomalies)

Trust: 2.25

sources: NVD: CVE-2017-17169 // JVNDB: JVNDB-2017-012875 // CNVD: CNVD-2017-38104 // VULHUB: VHN-108164

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2017-38104

AFFECTED PRODUCTS

vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00b018	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00spc100	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00spc200	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00spc300	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00spc400	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00spc500	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00spc600	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00spc800	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00spc900	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00spca00	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00	Trust: 1.8
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00b010	Trust: 1.8
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00b011	Trust: 1.8
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00b012	Trust: 1.8
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00b013	Trust: 1.8
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00b014	Trust: 1.8
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00b017	Trust: 1.8
vendor:	huawei	model:	dp300 v500r002c00	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00b010	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00b011	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00b012	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00b013	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00b014	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00b017	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00b018	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00spc100	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00spc200	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00spc300	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00spc400	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00spc50	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00spc600	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00spc800	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00spc900	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00spca00	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2017-38104 // JVNDB: JVNDB-2017-012875 // CNNVD: CNNVD-201712-873 // NVD: CVE-2017-17169

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-17169
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-17169
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2017-38104
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201712-873
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-108164
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-17169
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-38104
severity:	HIGH
baseScore:	9.4
vectorString:	AV:N/AC:L/AU:N/C:N/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	9.2
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-108164
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-17169
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.2
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2017-38104 // VULHUB: VHN-108164 // JVNDB: JVNDB-2017-012875 // CNNVD: CNNVD-201712-873 // NVD: CVE-2017-17169

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-108164 // JVNDB: JVNDB-2017-012875 // NVD: CVE-2017-17169

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201712-873

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201712-873

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-012875

PATCH

title:	huawei-sa-20171220-02-cidam	url:	http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171220-02-cidam-en	Trust: 0.8
title:	Patch for HuaweiDP300CIDAM Protocol Input Validation Vulnerability (CNVD-2017-38104)	url:	https://www.cnvd.org.cn/patchInfo/show/111719	Trust: 0.6
title:	Huawei DP300 Enter the fix for the verification vulnerability	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=77322	Trust: 0.6

sources: CNVD: CNVD-2017-38104 // JVNDB: JVNDB-2017-012875 // CNNVD: CNNVD-201712-873

EXTERNAL IDS

db:	NVD	id:	CVE-2017-17169	Trust: 3.1
db:	JVNDB	id:	JVNDB-2017-012875	Trust: 0.8
db:	CNNVD	id:	CNNVD-201712-873	Trust: 0.7
db:	CNVD	id:	CNVD-2017-38104	Trust: 0.6
db:	VULHUB	id:	VHN-108164	Trust: 0.1

sources: CNVD: CNVD-2017-38104 // VULHUB: VHN-108164 // JVNDB: JVNDB-2017-012875 // CNNVD: CNNVD-201712-873 // NVD: CVE-2017-17169

REFERENCES

url:	https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171220-02-cidam-en	Trust: 1.7
url:	http://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20171220-02-cidam-cn	Trust: 1.2
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-17169	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-17169	Trust: 0.8

sources: CNVD: CNVD-2017-38104 // VULHUB: VHN-108164 // JVNDB: JVNDB-2017-012875 // CNNVD: CNNVD-201712-873 // NVD: CVE-2017-17169

CREDITS

The vulnerability was discovered by Huawei internal testing.

Trust: 0.6

sources: CNNVD: CNNVD-201712-873

SOURCES

db:	CNVD	id:	CNVD-2017-38104
db:	VULHUB	id:	VHN-108164
db:	JVNDB	id:	JVNDB-2017-012875
db:	CNNVD	id:	CNNVD-201712-873
db:	NVD	id:	CVE-2017-17169

LAST UPDATE DATE

2024-11-23T22:52:11.733000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-38104	date:	2017-12-26T00:00:00
db:	VULHUB	id:	VHN-108164	date:	2019-12-23T00:00:00
db:	JVNDB	id:	JVNDB-2017-012875	date:	2018-04-26T00:00:00
db:	CNNVD	id:	CNNVD-201712-873	date:	2019-12-27T00:00:00
db:	NVD	id:	CVE-2017-17169	date:	2024-11-21T03:17:38.200

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2017-38104	date:	2017-12-26T00:00:00
db:	VULHUB	id:	VHN-108164	date:	2018-03-09T00:00:00
db:	JVNDB	id:	JVNDB-2017-012875	date:	2018-04-26T00:00:00
db:	CNNVD	id:	CNNVD-201712-873	date:	2017-12-25T00:00:00
db:	NVD	id:	CVE-2017-17169	date:	2018-03-09T17:29:00.737