Security Advisory - Multiple Vulnerabilities in Huawei FusionServer Products

Multiple security vulnerabilities exist in Huawei FusionServer products.

Command injection vulnerability exists in Huawei FusionServer products. An attacker could change the input parameters on the login page and enter commands, such as user creation command. (Vulnerability ID: HWPSIRT-2015-06075)

This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2015-7841.

Huawei FusionServer products do not verify the permission of a user who attempts to change the specific information. An attacker could exploit this vulnerability to log in to a server as an operator, graft a message to change the specific information, and send the message to the server to change the server information. (Vulnerability ID: HWPSIRT-2015-06076)

This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2015-7842.

A brute force cracking vulnerability exists in Huawei FusionServer products. An attacker could log in as a low-level user and execute some commands on the management interface to verify whether the user name and password of a higher-level user are correct. The device does not restrict the number of query attempts. As a result, a low-level user could brute force crack the user names and passwords of higher-level users, leading to leakage of sensitive information. (Vulnerability ID: HWPSIRT-2015-06078)

This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2015-7843.

Huawei has released software updates to fix these vulnerabilities. This advisory is available at the following link:
<http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-454418.htm&gt;