A team of pentest training specialists has reported the finding of a serious vulnerability in multiple products from the Chinese technology company Huawei. According to the report, the successful exploitation of this flaw could lead to denial of service (DoS) attacks.
The affected products are Huawei eLog (version 184.108.40.206), Huawei Myna (220.127.116.11) and Huawei FusionCube (versions 3.2.1.SPC201, 6.0.0, 6.0.RC3). Below is a brief description of the reported failure, along with its tracking key and Common Vulnerability Scoring System (CVSS) score.
CVE-2020-1967: According to pentest training experts, the vulnerability exists due to a NULL pointer re-reference in the SSL_check_chain () function during or after the TLS 1.3 handshake, which could allow remote threat actors to execute the attack DoS against the target system.
Apparently, all attackers require is to send unacknowledged or invalid signed algorithms, leading to the crash of the affected system. This is a medium severity flaw, so it received a CVSS score of 6.3 /10.
While the flaw can be exploited remotely by unauthenticated threat actors, pentest training experts have not detected any attempts at active exploitation. There also appears to be no malware variant related to this attack, at least for the time being.
The report was recognized by Huawei shortly after being received. The company mentions that the updates are already available, so users of affected implementations should only verify their correct installation to mitigate the risk of exploitation.