Details of VAR-201803-1046

ID

VAR-201803-1046

CVE

CVE-2017-17170

TITLE

plural Huawei Vulnerability related to input validation in products

Trust: 0.8

sources: JVNDB: JVNDB-2017-012876

DESCRIPTION

The CIDAM Protocol on some Huawei Products has multiple input validation vulnerabilities due to insufficient validation of specific messages when the protocol is implemented. An authenticated remote attacker could send a malicious message to a target system. Successful exploit could allow the attacker to tamper with business and make the system abnormal. Affected Huawei Products are: DP300 versions V500R002C00, V500R002C00B010, V500R002C00B011, V500R002C00B012, V500R002C00B013, V500R002C00B014, V500R002C00B017, V500R002C00B018, V500R002C00SPC100, V500R002C00SPC200, V500R002C00SPC300, V500R002C00SPC400, V500R002C00SPC500, V500R002C00SPC600, V500R002C00SPC800, V500R002C00SPC900, V500R002C00SPCa00; RP200 versions V500R002C00SPC200, V600R006C00, V600R006C00SPC200, V600R006C00SPC300, V600R006C00SPC400, V600R006C00SPC500; TE30 versions V100R001C10SPC300, V100R001C10SPC500, V100R001C10SPC600, V100R001C10SPC700B010, V500R002C00SPC200, V500R002C00SPC500, V500R002C00SPC600, V500R002C00SPC700, V500R002C00SPC900, V500R002C00SPCb00, V600R006C00, V600R006C00SPC200, V600R006C00SPC300, V600R006C00SPC400, V600R006C00SPC500; TE40 versions V500R002C00SPC600, V500R002C00SPC700, V500R002C00SPC900, V500R002C00SPCb00, V600R006C00, V600R006C00SPC200, V600R006C00SPC300, V600R006C00SPC400, V600R006C00SPC500; TE50 versions V500R002C00SPC600, V500R002C00SPC700, V500R002C00SPCb00, V600R006C00, V600R006C00SPC200, V600R006C00SPC300, V600R006C00SPC400, V600R006C00SPC500; TE60 versions V100R001C10, V100R001C10B001, V100R001C10B002, V100R001C10B010, V100R001C10B011, V100R001C10B012, V100R001C10B013, V100R001C10B014, V100R001C10B016, V100R001C10B017, V100R001C10B018, V100R001C10B019, V100R001C10SPC400, V100R001C10SPC500, V100R001C10SPC600, V100R001C10SPC700, V100R001C10SPC800B011, V100R001C10SPC900, V500R002C00, V500R002C00B010, V500R002C00B011, V500R002C00SPC100, V500R002C00SPC200, V500R002C00SPC300, V500R002C00SPC600, V500R002C00SPC700, V500R002C00SPC800, V500R002C00SPC900, V500R002C00SPCa00, V500R002C00SPCb00, V500R002C00SPCd00, V500R002C00SPCe00, V600R006C00, V600R006C00SPC100, V600R006C00SPC200, V600R006C00SPC300, V600R006C00SPC400, V600R006C00SPC500; eSpace U1981 version V200R003C20SPC900. plural Huawei The product contains an input validation vulnerability.Tampering with information and disrupting service operations (DoS) There is a possibility of being put into a state. Huawei DP300 is a video conferencing terminal of China's Huawei company. CIDAM is one of the information transmission protocols. A remote attacker can exploit the vulnerability by sending maliciously constructed information to the target device to cause a denial of service (destroying normal business and system anomalies)

Trust: 2.25

sources: NVD: CVE-2017-17170 // JVNDB: JVNDB-2017-012876 // CNVD: CNVD-2017-38105 // VULHUB: VHN-108166

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2017-38105

AFFECTED PRODUCTS

vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00b018	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00spc100	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00spc200	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00spc300	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00spc400	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00spc500	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00spc600	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00spc800	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00spc900	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00spca00	Trust: 2.4
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00	Trust: 1.8
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00b010	Trust: 1.8
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00b011	Trust: 1.8
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00b012	Trust: 1.8
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00b013	Trust: 1.8
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00b014	Trust: 1.8
vendor:	huawei	model:	dp300	scope:	eq	version:	v500r002c00b017	Trust: 1.8
vendor:	huawei	model:	dp300 v500r002c00	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00b010	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00b011	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00b012	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00b013	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00b014	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00b017	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00b018	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00spc100	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00spc200	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00spc300	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00spc400	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00spc50	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00spc600	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00spc800	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00spc900	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	dp300 v500r002c00spca00	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2017-38105 // JVNDB: JVNDB-2017-012876 // CNNVD: CNNVD-201712-874 // NVD: CVE-2017-17170

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-17170
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-17170
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2017-38105
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201712-874
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-108166
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-17170
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-38105
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-108166
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-17170
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.2
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2017-38105 // VULHUB: VHN-108166 // JVNDB: JVNDB-2017-012876 // CNNVD: CNNVD-201712-874 // NVD: CVE-2017-17170

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-108166 // JVNDB: JVNDB-2017-012876 // NVD: CVE-2017-17170

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201712-874

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201712-874

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-012876

PATCH

title:	huawei-sa-20171220-02-cidam	url:	http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171220-02-cidam-en	Trust: 0.8
title:	Patch for HuaweiDP300CIDAM Protocol Input Validation Vulnerability (CNVD-2017-38105)	url:	https://www.cnvd.org.cn/patchInfo/show/111717	Trust: 0.6
title:	Huawei DP300 Enter the fix for the verification vulnerability	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=77323	Trust: 0.6

sources: CNVD: CNVD-2017-38105 // JVNDB: JVNDB-2017-012876 // CNNVD: CNNVD-201712-874

EXTERNAL IDS

db:	NVD	id:	CVE-2017-17170	Trust: 3.1
db:	JVNDB	id:	JVNDB-2017-012876	Trust: 0.8
db:	CNNVD	id:	CNNVD-201712-874	Trust: 0.7
db:	CNVD	id:	CNVD-2017-38105	Trust: 0.6
db:	VULHUB	id:	VHN-108166	Trust: 0.1

sources: CNVD: CNVD-2017-38105 // VULHUB: VHN-108166 // JVNDB: JVNDB-2017-012876 // CNNVD: CNNVD-201712-874 // NVD: CVE-2017-17170

REFERENCES

url:	https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171220-02-cidam-en	Trust: 1.7
url:	http://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20171220-02-cidam-cn	Trust: 1.2
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-17170	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-17170	Trust: 0.8

sources: CNVD: CNVD-2017-38105 // VULHUB: VHN-108166 // JVNDB: JVNDB-2017-012876 // CNNVD: CNNVD-201712-874 // NVD: CVE-2017-17170

CREDITS

The vulnerability was discovered by Huawei internal testing.

Trust: 0.6

sources: CNNVD: CNNVD-201712-874

SOURCES

db:	CNVD	id:	CNVD-2017-38105
db:	VULHUB	id:	VHN-108166
db:	JVNDB	id:	JVNDB-2017-012876
db:	CNNVD	id:	CNNVD-201712-874
db:	NVD	id:	CVE-2017-17170

LAST UPDATE DATE

2024-11-23T22:17:38.429000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-38105	date:	2017-12-26T00:00:00
db:	VULHUB	id:	VHN-108166	date:	2019-12-23T00:00:00
db:	JVNDB	id:	JVNDB-2017-012876	date:	2018-04-26T00:00:00
db:	CNNVD	id:	CNNVD-201712-874	date:	2019-12-27T00:00:00
db:	NVD	id:	CVE-2017-17170	date:	2024-11-21T03:17:38.343

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2017-38105	date:	2017-12-26T00:00:00
db:	VULHUB	id:	VHN-108166	date:	2018-03-09T00:00:00
db:	JVNDB	id:	JVNDB-2017-012876	date:	2018-04-26T00:00:00
db:	CNNVD	id:	CNNVD-201712-874	date:	2017-12-25T00:00:00
db:	NVD	id:	CVE-2017-17170	date:	2018-03-09T17:29:00.813