|
[Japanese]
|
JVNDB-2021-000077
|
Huawei EchoLife HG8045Q vulnerable to OS command injection
|
|
EchoLife HT8045Q provided by Huawei is an ONT (Optical Network Terminal) device.
It is equipped with the command line interface for network operators' maintenance purpose, which is disabled by default.
When the command line interface is enabled, operators can interact with a certain restricted set of commands.
The command-line interface fails to process properly a certain crafted inputs, which enables some BusyBox-implemented commands executed (CWE-78).
|
|
CVSS V3 Severity:
Base Metrics 6.8 (Medium) [IPA Score]
- Attack Vector: Adjacent Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVSS V2 Severity:
Base Metrics 7.7 (High) [IPA Score]
- Access Vector: Adjacent Network
- Access Complexity: Low
- Authentication: Single Instance
- Confidentiality Impact: Complete
- Integrity Impact: Complete
- Availability Impact: Complete
|
|
|
Huawei
- HG8045Q Software version : V300R016C00SPC110
- HG8045Q Software version : V300R018C10
|
|
|
When the command line interface is enabled, an administrator user may execute a certain set of OS commands on the device.
|
|
[Update the Software]
Update the software to the latest version according to the information provided by the developer. The developer has released the following version that addresses the vulnerability.
- Software version : V300R016C00SPC130 (for V300R016C00SPC110)
- Software version : R18C10SPC152 (for V300R018C10)
|
|
Huawei
|
|
- OS Command Injection(CWE-78) [IPA Evaluation]
|
|
- CVE-2021-37028
|
|
- JVN : JVN#41646618
- National Vulnerability Database (NVD) : CVE-2021-37028
|
|
- [2021/08/17]
Web page was published
|
