Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Security Advisory-OpenSSL Heartbeat Extension vulnerability

advertisement 
News Start
Security Advisory-OpenSSL Heartbeat Extension
vulnerability (Heartbleed bug) on Huawei multiple
products
SA No: Huawei-SA-20140417-Heartbleed
Initial Release Date: 04-17-2014
Last Release Date: 05-12-2014
Summary
Some OpenSSL software versions used in multiple Huawei products have the following
OpenSSL vulnerability. Unauthorized remote attackers can dump 64 Kbytes of memory
of the connected server or client in each attack. The leaked memory may contain
sensitive information, such as passwords and private keys (Vulnerability ID:
HWPSIRT-2014-0414).
This Vulnerability has been assigned Common Vulnerabilities and Exposures (CVE)
ID: CVE-2014-0160.
Impact
The impacts of this vulnerability on Huawei products vary with products. Attackers may
exploit this vulnerability to dump a certain size of memory of devices. The leaked
memory may contain sensitive information, such as passwords and private keys.
Vulnerability Scoring Details
The vulnerability classification has been performed by using the CVSSv2 scoring
system (http://www.first.org/cvss/).
Base Score: 5.0 (AV:N/AC:L/AU:N/C:P/I:N/A:N)
Temporal Score: 4.5 (E:P/RL:U/RC:C)
Technique Details
1. Prerequisite:
This vulnerability can be exploited only when the following conditions are present:
The attacker is able to locally or remotely access the device affected by the
vulnerability.
2. Vulnerability details:
The vulnerability is due to a missing memory bounds check when the OpenSSL
software processes TLS heartbeat packets. Attackers can trigger the vulnerability by
sending malformed TLS heartbeat packets to the server. The attacker may also
impersonate a server to send malicious packets to a client that accesses the server to
attack the client. After the attack succeeds, the attacker can dump a certain size of
memory each time the attacker sends a malicious heartbeat packet. The dumped
memory may contain sensitive information, such as passwords and private keys.
Temporary Fix
Null
Software Versions and Fixes
Product Name
Affected Version
Solved Plan/Patch Link
AHR
V100R003C00SPC350 and later
versions
V100R003C00SPC360
BCM
BCM V300R003C01
BCM V300R003C30
CCE3.0
CCE V100R003C00
V300R003C30LG0106
SPC002
V300R003C50SPC020
BCM
V300R003C30LG0106
SPC002
BCM
V300R003C50SPC020
BICP
V100R001C50LS0002
BCM
V300R003C30LG0106
SPC002
BCM
V300R003C50SPC020
V100R003C00CP1301
CPS
CPS V100R001C10
CPS V100R001C20
BICP
V100R001C50LS0002
Billing V5R5
CBS V500R005C21
CBS
CBS V300R003C01
CBS V100R002C02
CRM
CSP
CTI
DWH
IDC Solution
CC&BM V100R002C61
CC&BM V100R002C62
CC&BM V100R002C72
Wimax BOSS V100R001C01
V600R005C10
V600R005C11SPC100
V300R005C50
V300R006C30
V100R002C10
V100R002C30
V100R001C01
V100R001C03
BCM
V300R003C30LG0106
SPC002
BCM
V300R003C50SPC020
BICP
V100R001C50LS0002
V600R003C90LG1032
V300R005C50SPC011
BICP
V100R001C50LS0002
Tecal RH2288 V2
V100R002C00SPC115
Tecal RH2285 V2
V100R002C00SPC113
Tecal E6000 Chassis
V100R001C00SPC111
Tecal BH622 V2
V100R002C00SPC108
Tecal BH640 V2
V100R002C00SPC107
Tecal BH640 V2
V100R002C00SPC107
Tecal RH2285 V2
V100R002C00SPC113
Tecal RH2288 V2
V100R002C00SPC115
Tecal RH2485 V2
V100R002C00SPC501
Tecal RH5885 V2
V100R001C02SPC109
Tecal XH310 V2
V100R001C00SPC107
Tecal XH311 V2
V100R001C00SPC107
Tecal XH320 V2
V100R001C00SPC109
Tecal XH621 V2
V100R001C00SPC105
Tecal RH1288 V2
eBIMS
V100R001C00SPC100
V100R002C00SPC105
Tecal DH310 V2
V100R001C00SPC107
Tecal DH620 V2
V100R001C00SPC105
Tecal DH621 V2
V100R001C00SPC105
Tecal E6000 Chassis
V100R001C00SPC111
Tecal BH622 V2
V100R002C00SPC108
Tecal BH640 V2
V100R002C00SPC107
CSB Solution
V100R001C01SPC101
V100R001C00SPC200
ECC500
V600R001C00
V6R1C00SPC100
EDC Solution
V100R001C01
eLTE Broadband
eSight V300R001C10
Tecal E6000 Chassis
V100R001C00SPC111
Tecal
BH622
V2
V100R002C00SPC108
Tecal
BH640
V2
V100R002C00SPC107
V300R001C10CP2004
Access
eCNS600 V100R001C00
eCNS600 V100R002C00
V100R002C00SPC300
V100R002C00SPC300
eSDK Solution
V100R002C01
eSight
eSpace desktop
V200R003C00
V200R003C01
V200R003C10
V100R001C01
V100R001C02
V200R001
eSpace Meeting
V100R001C00
V100R001C00SPC302
V100R001C02
V100R001C02SPC102
eSight UC&C
eSDK
IVS
V100R003C10SPC100
eSDK
UC
V100R003C10SPC001
V200R003C01SPC204
V200R003C10SPC104
V100R001C20SPH303
V100R001C01SPH301
V200R001C03SPC800
Portal
eSpace IVS
eSpace UC
V200R001C50
EVC3.3
EVC V300R003C02
FusionCloud
Desktop Solution
Fusioncube
V200R001C50SPC003
T
BICP
V100R001C50LS0002
V100R003C00
Tecal RH2285 V2
V100R002C00SPC113
V100R002C00
Tecal RH2288 V2
V100R002C00SPC115
V100R002C01
Tecal E9000 Chassis
V100R001C00SPC160
V900R008C20SPC508
FusionSphere
V100R003C00
HSS9860
HSS9860 V900R008C20
HyperDP
OceanStor
N8500V200R001C09
OceanStor N8500
V200R001C91
V300R001C11/C12/C31/C32
V200R001C09SPC500
V200R013C00CP2302
IMS
iManager M2000
V200R013C00SPC230
iManager M2000
V200R013C00HP2301
iManager PRS
V100R014C00SPC100
iManager U2000
V100R009C00SPC300
iManager U2000
V200R014C00SPC100
iManager U2000
V200R014C00SPC110
IMS V200R010C00
ISOP
V200R001C00
LMT of GGSN9811/
GGSN9811 V900R008C01
UGW9811 V900R001C03
UGW9811 V900R001C05
UGW9811 V900R009C01
UGW9811 V900R009C02
UGW9811 V900R010C00
UGW9811 V900R010C01
UGW9811 V900R010C72
UGW9811 V900R010C81
IDS2000
iManager M2000
iManager PRS
iManager U2000
iManager U2000-M
UGW9811/
PDSN9660/
WASN9770/
HA9661
V200R001C91SPC200
ECC500 V3R1C30
V100R014C00CP1501
V100R009C00CP3002
V200R014C00SPC200
CGP
V100R006C60SPC609
BICP
V100R001C50LS0002
UGW9811
V900R009C01SPC300
UGW9811
V900R009C02SPC200
UGW9811
V900R010C00SPC100
UGW9811
V900R010C01SPC200
UGW9811
HA9661 V900R007C06
PDSN9660 V900R007C02
PDSN9660 V900R007C03
PDSN9660 V900R007C05
PDSN9660 V900R007C06
WASN9770 V300R003C01
WASN9770 V300R003C02
Mediation
Mediation V100R002C20
Mediation V100R002C30
Mobile phone Y300
Y300-0100 V100R001C00B197
Mobile phone G510 G510-0200 V100R001C00B193
Mobile phone
V900R010C72SPC200
UGW9811
V900R010C81SPC100
HA9661
V900R007C06SPC300
PDSN9660
V900R007C06SPC200
WASN9770
V300R003C02SPC300
BCM
V300R003C30LG0106
SPC002
BCM
V300R003C50SPC020
In the TA ( technical
accept) testing
Released
V100R001C85B177/B187
In the TA ( technical
accept) testing
V100R001C92B173
In the TA ( technical
accept) testing
MSOFTX3000
MSOFTX3000 V200R010C10
V200R010C10SPH103
Nastar
GENEX Nastar
V600R014C00SPC201T
GENEX Nastar V600R014C00
V100R001C10/C20/C30
U8686
Mobile phone
C8813
NetCol ACC
NGIN
OCS
OIC
SNE V300R002C20
SNE V300R002C30
SNE V300R002C40
SNE V300R002C50
BMP V100R002C30
BMP V100R002C40
OCS V100R002C01
OCS V300R003C01
V100R001C00SPC300
V600R014C00CP0010
V100R001C10
V300R002C50
V100R002C40SPC001
BCM
V300R003C30LG0106
SPC002
BICP
V100R001C50LS0002
BCM
V300R003C50SPC020
V100R001C00SPC401
V100R001C00SPC400
OnlineMediation
OnlineMediationV300R003C01
OnlineMediationV300R003C02
OnlineMediationV300R003C21
ONIP
SNE
V300R002C50
BICP
V100R001C50LS0002
OnlineMediationV300R003C30
V300R001C60SPC001
V300R001C60SPC002
V300R002C03SPC600
PDU8000
PowerCube1000 V300R002C03
PowerCube Controller Software
V300R002C00/C10/C20C/C30
V100R002C00
Policy Center
V100R003C00
V100R003C00SPC303
PRM
PRM V300R001C08
PRM V300R001C20
RCS9880
SAG
V100R002C10
V100R003C00
V200R001C38
BCM
V300R003C30LG0106
SPC002
BCM
V300R003C50SPC020
V100R002C10CP0001
V100R003C00CP0001
V200R001C38LG0005
SANEX
V100R002C00
V100R002C00SPC002
Smart Campaign
V300R003C02
OpenEye CMS
PCCS
V100R002C00SPC100
SOFTX3000
V600R012C10
BICP
V100R001C50LS0002
SUM
V300R002C02SPC73
SUM
V300R002C20SPC74
V600R012C10SPC203
SPS
V300R007C00
V300R007C00SPH103
STB
V100R002C15LLNL72
V100R002C15LSCD81
V100R001C06LCOE01SPC200
IPTV
STB
V100R002C15LSCD67
IPTV
STB
V100R002C15LLNL75
Terminal Middleware
V100R001C06LCOE02
SPC200
Tecal E6000 Chassis
V100R001C00SPC111
Tecal
BH622
V2
SMU02B SMU
Tecal E6000
V300R002C02
V300R002C10
V100R002
Tecal RH1288 V2
V100R002C00
V100R002C00SPC108
Tecal
BH640
V2
V100R002C00SPC107
Tecal E6000 Chassis
V100R001C00SPC111
Tecal
BH622
V2
V100R002C00SPC108
Tecal
BH640
V2
V100R002C00SPC107
Tecal E9000 Chassis
V100R001C00SPC160
Tecal CH121
V100R001C00SPC150
Tecal CH140
V100R001C00SPC100
Tecal CH220
V100R001C00SPC150
Tecal CH221
V100R001C00SPC150
Tecal CH222
V100R002C00SPC150
Tecal CH240
V100R001C00SPC150
Tecal CH242
V100R001C00SPC150
Tecal CH242 V3
V100R001C00SPC100
V100R002C00SPC105
Tecal RH2285 V2
V100R002C00
V100R002C00SPC113
Tecal RH2285H V2
V100R002C00
V100R002C00SPC108
Tecal RH2288 V2
V100R002C00
V100R002C00SPC115
Tecal RH2288H V2
V100R002C00
V100R002C00SPC110
Tecal RH2485 V2
V100R002
V100R002C00SPC501
Tecal RH5885 V2
V100R001
V100R003
V100R001C02SPC109
Tecal RH5885 V3
V100R003
V100R003C01SPC101
Tecal RH5885H V3
V100R003
V100R003C00SPC101
Tecal X6000
V100R002
Tecal
XH310
V2
V100R001C00SPC107
Tecal
XH311
V2
Tecal E6000
V100R001C00
Chassis
Tecal E9000
V100R001
Chassis
Tecal X8000
WebLMT of
BSC6900
WebLMT of
BSC6910
V100R001
BSC6900 V100R016C00
V100R016C00SPC600
BSC6910 V100R016C00
V100R009C00SPC100
WebLMT of
eGBTS/NODEB/MB
V100R001C00SPC107
Tecal
XH320
V2
V100R001C00SPC109
Tecal
XH621
V2
V100R001C00SPC105
Tecal
DH310
V2
V100R001C00SPC107
Tecal
DH620
V2
V100R001C00SPC105
Tecal
DH621
V2
V100R001C00SPC105
V100R016C00SPC600
BTS3900 V100R009C00
TS
BTS3900 V100R009C00
V100R009C00SPC100
BTS3900 V100R009C00
V100R009C00SPC100
V200R001C00
V200R001C00SPC131
V100R001C01
V100R001C01SPC292
UAC3000
V100R003C00
UGC3200
UGC3200 V200R010C00
UPCC
UPCC V300R006C01
UPCC V300R006C02
V1R1C00/C10/C11/C30/C31
CGP
V100R006C60SPC609
CGP
V100R006C60SPC609
V300R006C01SPC203
V300R006C02SPC105
V100R001C10SPC401
WebLMT of
eNodeb(FDD)
WebLMT of
eNodeb(TDD)
WFM
UPS2000
V100R002C01SPC300
V100R001C10SPC600
USN9810
V100R001C00/C01/C10/C02
V100R002C00/C01/C02/C03
V100R002C10/C11/C12/C13
V900R012C01
VGS SCG
V500R005C30
V500R005C30LG0001
UPS5000
V900R012C01SPH003
Obtaining Fixed Software
Customers should contact Huawei TAC (Huawei Technical Assistance Center) to
request the upgrades, or obtain them through Huawei worldwide website at
http://support.huawei.com/support/.
For TAC contact information, please refer to the following links:
TAC for Carrier Customers:
http://support.huawei.com/support/pages/news/NewsInfoAction.do?actionFlag=view&doc_id=IN
0000034614&colID=ROOTENWEB%7CCO0000000169%7CCO0000003000.
TAC for enterprise customers:
http://support.huawei.com/enterprise/NewsReadAction.action?contentId=NEWS1000000563
TAC for Terminal Customers:
http://www.huaweidevice.com/resource/mini/201107199604/FAQ_ServiceHotline_en/index.html
http://www.huaweidevice.com/worldwide/netWorkPoint.do?method=index&directory
Id=40
Exploitation and Vulnerability Source
This vulnerability is found by Codenomicon and Google security engineers.
Contact Channel for Technique Issue
For security problems about Huawei products and solutions, please contact
PSIRT@huawei.com.
For general problems about Huawei products and solutions, please directly contact
Huawei TAC (Huawei Technical Assistance Center) to request the configuration or
technical assistance.
Revision History
2014-05-12 V2.7 UPDATED update the Software Versions and Fixes
2014-05-10 V2.6 UPDATED update the Software Versions and Fixes
2014-05-10 V2.5 UPDATED update the Software Versions and Fixes
2014-05-09 V2.4 UPDATED update the Software Versions and Fixes
2014-05-09 V2.3 UPDATED update the Software Versions and Fixes
2014-05-08 V2.2 UPDATED update the Software Versions and Fixes
2014-05-07 V2.1 UPDATED update the Software Versions and Fixes
2014-05-06 V2.0 UPDATED update the Software Versions and Fixes
2014-05-05 V1.9 UPDATED update the Software Versions and Fixes
2014-05-04 V1.8 UPDATED update the Software Versions and Fixes
2014-04-30 V1.7 UPDATED update the Software Versions and Fixes
2014-04-28 V1.6 UPDATED update the Software Versions and Fixes
2014-04-24 V1.5 UPDATED update the Software Versions and Fixes
2014-04-22 V1.4 UPDATED update the Software Versions and Fixes
2014-04-21 V1.3 UPDATED update the Software Versions and Fixes
2014-04-21 V1.2 UPDATED update the Software Versions and Fixes
2014-04-18 V1.1 UPDATED update the Software Versions and Fixes
2014-04-17 V1.0 INITIAL
Declaration
This document is provided on an "AS IS" basis and does not imply any kind of
guarantee or warranty, either express or implied, including the warranties of
merchantability or fitness for a particular purpose. In no event shall Huawei. or any of
its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages
whatsoever including direct, indirect, incidental, consequential, loss of business profits
or special damages. Your use of the document, by whatsoever means, will be totally at
your own risk. Huawei is entitled to amend or update this document from time to time.
Huawei Security Procedures
Complete information on providing feedback on security vulnerability of Huawei
products, getting support for Huawei security incident response services, and
obtaining Huawei security vulnerability information, is available on Huawei's worldwide
website at http://www.huawei.com/en/security/psirt/.
News End
Related documents
Security Advisory-Risk of Password Being Cracked Due to DES
Security Advisory-Risk of Password Being Cracked Due to DES
流程/IT需求申请指导书
流程/IT需求申请指导书
PowerPoint **** - Huawei Summit 2013
PowerPoint **** - Huawei Summit 2013
To the PATENTSCOPE search system webinar Advanced
To the PATENTSCOPE search system webinar Advanced
Security Advisory-The Firewall Module of SPU Board
Security Advisory-The Firewall Module of SPU Board
WHAT IS THE BIG HISTORY PROJECT?
WHAT IS THE BIG HISTORY PROJECT?
Document
Document
*** 1 - Eventworld.cz
*** 1 - Eventworld.cz
Download
advertisement