Multiple security restriction bypass vulnerabilities in Huawei CloudEngine series routers

Release date:
Updated on:

Affected Systems:
Huawei CloudEngine Series Switches CE6800
Huawei CloudEngine Series Switches CE5800
Huawei CloudEngine Series Switches CE12800
Description:
--------------------------------------------------------------------------------
Bugtraq id: 64634

CloudEngine series is a "Cloud" high-performance switch launched by Huawei for next-generation data centers and high-end campuses.

The HWTACACS module of Huawei CloudEngine series switches has multiple security restriction bypass vulnerabilities. If an attacker has a low-privilege user name and password and can log on to the affected device, the vulnerability can be exploited to bypass server authentication checks, increase user permissions, and execute arbitrary commands.

<* Source: vendor

Link: http://secunia.com/advisories/56184/
Http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-323610.htm
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Huawei
------
Huawei has released a Security Bulletin (hw-323610) and patches for this:
Hw-323610: A Vulnerability on the HWTACACS Authorization Module of the CloudEngine
Link: http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-323610.htm