Sign-up

ID

VAR-201803-1321


CVE

CVE-2017-17146


TITLE

Huawei DP300 Integer overflow vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-012871

DESCRIPTION

Huawei DP300 V500R002C00 have a buffer overflow vulnerability due to the lack of validation. An authenticated local attacker can craft specific XML files to the affected products and parse this file, which result in DoS attacks or remote code execution on the device. Huawei DP300 Contains an integer overflow vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Huawei DP300 is a video conferencing terminal of China's Huawei company. The HuaweiDP300XML parser has a buffer overflow vulnerability that is caused by the XML parser not fully verifying the received content. Multiple Huawei Products are prone to multiple local buffer-overflow vulnerabilities because it fails to adequately bounds-check user-supplied data before copying it into an insufficiently sized buffer. Failed exploit attempts will likely result in denial-of-service conditions

Trust: 2.52

sources: NVD: CVE-2017-17146 // JVNDB: JVNDB-2017-012871 // CNVD: CNVD-2017-38450 // BID: 103366 // VULHUB: VHN-108139

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2017-38450

AFFECTED PRODUCTS

vendor:huaweimodel:dp300scope:eqversion:v500r002c00

Trust: 1.4

vendor:huaweimodel:dp300scope:lteversion:v500r002c00

Trust: 1.0

vendor:huaweimodel:dp300 v500r002c00scope: - version: -

Trust: 0.9

vendor:huaweimodel:dp300 v500r002c00spcb00scope:neversion: -

Trust: 0.3

sources: CNVD: CNVD-2017-38450 // BID: 103366 // JVNDB: JVNDB-2017-012871 // CNNVD: CNNVD-201712-297 // NVD: CVE-2017-17146

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-17146
value: HIGH

Trust: 1.0

NVD: CVE-2017-17146
value: HIGH

Trust: 0.8

CNVD: CNVD-2017-38450
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201712-297
value: HIGH

Trust: 0.6

VULHUB: VHN-108139
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2017-17146
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2017-38450
severity: MEDIUM
baseScore: 6.8
vectorString: AV:L/AC:L/AU:S/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.1
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-108139
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-17146
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2017-38450 // VULHUB: VHN-108139 // JVNDB: JVNDB-2017-012871 // CNNVD: CNNVD-201712-297 // NVD: CVE-2017-17146

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.1

problemtype:CWE-20

Trust: 0.9

sources: VULHUB: VHN-108139 // JVNDB: JVNDB-2017-012871 // NVD: CVE-2017-17146

THREAT TYPE

local

Trust: 0.9

sources: BID: 103366 // CNNVD: CNNVD-201712-297

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-201712-297

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-012871

PATCH
title:huawei-sa-20171215-01-xmlurl:http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171215-01-xml-en
Trust: 0.8
title:HuaweiDP300XML parser buffer overflow vulnerability patchurl:https://www.cnvd.org.cn/patchInfo/show/112077
Trust: 0.6
title:Huawei DP300 Buffer error vulnerability fixurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=100234
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-38450 // 
            
            
            
            JVNDB: JVNDB-2017-012871 // 
            
            
            
            CNNVD: CNNVD-201712-297

EXTERNAL IDS
db:NVDid:CVE-2017-17146
Trust: 3.4
db:JVNDBid:JVNDB-2017-012871
Trust: 0.8
db:CNNVDid:CNNVD-201712-297
Trust: 0.7
db:CNVDid:CNVD-2017-38450
Trust: 0.6
db:BIDid:103366
Trust: 0.4
db:VULHUBid:VHN-108139
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2017-38450 // 
            
            
            
            VULHUB: VHN-108139 // 
            
            
            
            BID: 103366 // 
            
            
            
            JVNDB: JVNDB-2017-012871 // 
            
            
            
            CNNVD: CNNVD-201712-297 // 
            
            
            
            NVD: CVE-2017-17146

REFERENCES
url:http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171215-01-xml-en
Trust: 2.0
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-17146
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-17146
Trust: 0.8
url:http://www.huawei.com/cn/psirt/security-advisories/2017/huawei-sa-20171215-01-xml-cn
Trust: 0.6
url:http://www.huawei.com
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2017-38450 // 
            
            
            
            VULHUB: VHN-108139 // 
            
            
            
            BID: 103366 // 
            
            
            
            JVNDB: JVNDB-2017-012871 // 
            
            
            
            CNNVD: CNNVD-201712-297 // 
            
            
            
            NVD: CVE-2017-17146

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 103366

SOURCES
db:CNVDid:CNVD-2017-38450
db:VULHUBid:VHN-108139
db:BIDid:103366
db:JVNDBid:JVNDB-2017-012871
db:CNNVDid:CNNVD-201712-297
db:NVDid:CVE-2017-17146

LAST UPDATE DATE
2024-11-23T23:05:09.822000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-38450date:2017-12-28T00:00:00
db:VULHUBid:VHN-108139date:2019-10-03T00:00:00
db:BIDid:103366date:2017-12-15T00:00:00
db:JVNDBid:JVNDB-2017-012871date:2018-04-26T00:00:00
db:CNNVDid:CNNVD-201712-297date:2019-10-23T00:00:00
db:NVDid:CVE-2017-17146date:2024-11-21T03:17:34.773

SOURCES RELEASE DATE
db:CNVDid:CNVD-2017-38450date:2017-12-28T00:00:00
db:VULHUBid:VHN-108139date:2018-03-09T00:00:00
db:BIDid:103366date:2017-12-15T00:00:00
db:JVNDBid:JVNDB-2017-012871date:2018-04-26T00:00:00
db:CNNVDid:CNNVD-201712-297date:2017-12-07T00:00:00
db:NVDid:CVE-2017-17146date:2018-03-09T17:29:00.377