Vulnerability-Lookup

CNVD-2017-04634

Vulnerability from cnvd - Published: 2017-04-19

Title

华为WS318设计漏洞

Description

华为WS318是中国华为（Huawei）公司的一款无线路由器产品。华为WS318 V100R001C01B022及之前的版本中存在安全漏洞，该漏洞源于产品使用的供应商解决方案中的随机数发生器（RNG）的随机性不足。攻击者可通过被破解设备利用该漏洞访问互连网。

Severity

中

Patch Name

华为WS318设计漏洞的补丁

Patch Description

华为WS318是中国华为（Huawei）公司的一款无线路由器产品。华为WS318 V100R001C01B022及之前的版本中存在安全漏洞，该漏洞源于产品使用的供应商解决方案中的随机数发生器（RNG）的随机性不足。攻击者可通过被破解设备利用该漏洞访问互连网。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接：http://www.huawei.com/cn/psirt/security-advisories/hw-408090

Reference

http://www.huawei.com/en/psirt/security-advisories/hw-408091

Impacted products

Name
Huawei WS318 <=V100R001C01B022

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2014-9690",
      "cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9690"
    }
  },
  "description": "\u534e\u4e3aWS318\u662f\u4e2d\u56fd\u534e\u4e3a\uff08Huawei\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u65e0\u7ebf\u8def\u7531\u5668\u4ea7\u54c1\u3002\r\n\r\n\u534e\u4e3aWS318 V100R001C01B022\u53ca\u4e4b\u524d\u7684\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4ea7\u54c1\u4f7f\u7528\u7684\u4f9b\u5e94\u5546\u89e3\u51b3\u65b9\u6848\u4e2d\u7684\u968f\u673a\u6570\u53d1\u751f\u5668\uff08RNG\uff09\u7684\u968f\u673a\u6027\u4e0d\u8db3\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u88ab\u7834\u89e3\u8bbe\u5907\u5229\u7528\u8be5\u6f0f\u6d1e\u8bbf\u95ee\u4e92\u8fde\u7f51\u3002",
  "discovererName": "Huawei",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1ahttp://www.huawei.com/cn/psirt/security-advisories/hw-408090",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-04634",
  "openTime": "2017-04-19",
  "patchDescription": "\u534e\u4e3aWS318\u662f\u4e2d\u56fd\u534e\u4e3a\uff08Huawei\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u65e0\u7ebf\u8def\u7531\u5668\u4ea7\u54c1\u3002\r\n\r\n\u534e\u4e3aWS318 V100R001C01B022\u53ca\u4e4b\u524d\u7684\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4ea7\u54c1\u4f7f\u7528\u7684\u4f9b\u5e94\u5546\u89e3\u51b3\u65b9\u6848\u4e2d\u7684\u968f\u673a\u6570\u53d1\u751f\u5668\uff08RNG\uff09\u7684\u968f\u673a\u6027\u4e0d\u8db3\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u88ab\u7834\u89e3\u8bbe\u5907\u5229\u7528\u8be5\u6f0f\u6d1e\u8bbf\u95ee\u4e92\u8fde\u7f51\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "\u534e\u4e3aWS318\u8bbe\u8ba1\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Huawei WS318 \u003c=V100R001C01B022"
  },
  "referenceLink": "http://www.huawei.com/en/psirt/security-advisories/hw-408091",
  "serverity": "\u4e2d",
  "submitTime": "2017-04-07",
  "title": "\u534e\u4e3aWS318\u8bbe\u8ba1\u6f0f\u6d1e"
}

CVE-2014-9690 (GCVE-0-2014-9690)

Vulnerability from cvelistv5 – Published: 2017-04-02 20:00 – Updated: 2024-08-06 13:55

Summary

Huawei home gateways WS318 with software V100R001C01B022 and earlier versions are affected by the PIN offline brute force cracking vulnerability of the WPS protocol because the random number generator (RNG) used in the supplier's solution is not random enough. As a result, brute force cracking the PIN code is easier. After an attacker cracks the PIN, the attacker can access the Internet via the cracked device.

Severity ?

No CVSS data available.

CWE

WPS PIN Offline Brute Force Crack

Assigner

huawei

References

URL

Tags

http://www.huawei.com/en/psirt/security-advisorie…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	n/a	WS318 V100R001C01B022 and earlier versions	Affected: WS318 V100R001C01B022 and earlier versions

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T13:55:04.314Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.huawei.com/en/psirt/security-advisories/hw-408091"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "WS318 V100R001C01B022 and earlier versions",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "WS318 V100R001C01B022 and earlier versions"
            }
          ]
        }
      ],
      "datePublic": "2017-03-27T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Huawei home gateways WS318 with software V100R001C01B022 and earlier versions are affected by the PIN offline brute force cracking vulnerability of the WPS protocol because the random number generator (RNG) used in the supplier\u0027s solution is not random enough. As a result, brute force cracking the PIN code is easier. After an attacker cracks the PIN, the attacker can access the Internet via the cracked device."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "WPS PIN Offline Brute Force Crack",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-04-02T19:57:01",
        "orgId": "25ac1063-e409-4190-8079-24548c77ea2e",
        "shortName": "huawei"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.huawei.com/en/psirt/security-advisories/hw-408091"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@huawei.com",
          "ID": "CVE-2014-9690",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "WS318 V100R001C01B022 and earlier versions",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "WS318 V100R001C01B022 and earlier versions"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Huawei home gateways WS318 with software V100R001C01B022 and earlier versions are affected by the PIN offline brute force cracking vulnerability of the WPS protocol because the random number generator (RNG) used in the supplier\u0027s solution is not random enough. As a result, brute force cracking the PIN code is easier. After an attacker cracks the PIN, the attacker can access the Internet via the cracked device."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "WPS PIN Offline Brute Force Crack"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.huawei.com/en/psirt/security-advisories/hw-408091",
              "refsource": "CONFIRM",
              "url": "http://www.huawei.com/en/psirt/security-advisories/hw-408091"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e",
    "assignerShortName": "huawei",
    "cveId": "CVE-2014-9690",
    "datePublished": "2017-04-02T20:00:00",
    "dateReserved": "2015-03-13T00:00:00",
    "dateUpdated": "2024-08-06T13:55:04.314Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2017-04634

CVE-2014-9690 (GCVE-0-2014-9690)

Tags

Sightings

Nomenclature