Details of VAR-200907-0113

ID

VAR-200907-0113

CVE

CVE-2009-2271

TITLE

Huawei D100 Vulnerabilities that gain access

Trust: 0.8

sources: JVNDB: JVNDB-2009-004778

DESCRIPTION

The Huawei D100 has (1) a certain default administrator password for the web interface, and does not force a password change; and has (2) a default password of admin for the admin account in the telnet interface; which makes it easier for remote attackers to obtain access. Huawei D100 Contains the following flaws, which may result in a vulnerability in which access rights can be obtained. Huawei D100 is prone to a security-bypass vulnerability and an information-disclosure vulnerability. Attackers can exploit theses issues to obtain sensitive information or gain unauthorized access and execute arbitrary commands with root privileges. D100 is the world's first WiFi adapter that connects mobile phones, game consoles, PCs and laptops together via a WiFi link. Multiple security vulnerabilities exist in the D100 firmware and its default configuration, which may allow LAN users to gain unauthorized access to the device. #2 The Telnet service is enabled by default, and users in the LAN can use the default admin:admin account to log in with root user authority. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Huawei D100 Information Disclosure and Undocumented Telnet Account SECUNIA ADVISORY ID: SA35638 VERIFY ADVISORY: http://secunia.com/advisories/35638/ DESCRIPTION: Filip Palian has reported a vulnerability and a security issue in Huawei D100, which can be exploited by malicious people to disclose sensitive information or compromise a vulnerable device. 1) Access to the "en/lan_status_adv.asp", "en/wlan_basic_cfg.asp", and "en/lancfg.asp" scripts is not properly restricted. This can be exploited to disclose sensitive information by accessing the scripts directly. SOLUTION: Restrict internal network access to trusted users only. PROVIDED AND/OR DISCOVERED BY: Filip Palian ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.07

sources: NVD: CVE-2009-2271 // JVNDB: JVNDB-2009-004778 // BID: 43764 // VULHUB: VHN-39717 // PACKETSTORM: 78906

AFFECTED PRODUCTS

vendor:	huawei	model:	d100	scope:	eq	version:	-	Trust: 1.6
vendor:	huawei	model:	d100	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2009-004778 // CNNVD: CNNVD-200907-009 // NVD: CVE-2009-2271

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2009-2271
value:	HIGH
Trust: 1.0
NVD:	CVE-2009-2271
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-200907-009
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-39717
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2009-2271
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-39717
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-39717 // JVNDB: JVNDB-2009-004778 // CNNVD: CNNVD-200907-009 // NVD: CVE-2009-2271

PROBLEMTYPE DATA

problemtype:

CWE-255

Trust: 1.9

sources: VULHUB: VHN-39717 // JVNDB: JVNDB-2009-004778 // NVD: CVE-2009-2271

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200907-009

TYPE

trust management

Trust: 0.6

sources: CNNVD: CNNVD-200907-009

CONFIGURATIONS

sources: JVNDB: JVNDB-2009-004778

PATCH

title:

Top Page

url:

http://www.huawei.com/en/

Trust: 0.8

sources: JVNDB: JVNDB-2009-004778

EXTERNAL IDS

db:	NVD	id:	CVE-2009-2271	Trust: 2.8
db:	SECUNIA	id:	35638	Trust: 1.8
db:	JVNDB	id:	JVNDB-2009-004778	Trust: 0.8
db:	BUGTRAQ	id:	20090630 MULTIPLE FLAWS IN HUAWEI D100	Trust: 0.6
db:	CNNVD	id:	CNNVD-200907-009	Trust: 0.6
db:	BID	id:	43764	Trust: 0.3
db:	VULHUB	id:	VHN-39717	Trust: 0.1
db:	PACKETSTORM	id:	78906	Trust: 0.1

sources: VULHUB: VHN-39717 // BID: 43764 // JVNDB: JVNDB-2009-004778 // PACKETSTORM: 78906 // CNNVD: CNNVD-200907-009 // NVD: CVE-2009-2271

REFERENCES

url:	http://secunia.com/advisories/35638	Trust: 1.7
url:	http://www.securityfocus.com/archive/1/504645/100/0/threaded	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-2271	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-2271	Trust: 0.8
url:	http://www.securityfocus.com/archive/1/archive/1/504645/100/0/threaded	Trust: 0.6
url:	http://www.huawei.com/	Trust: 0.3
url:	http://secunia.com/advisories/secunia_security_advisories/	Trust: 0.1
url:	http://secunia.com/advisories/business_solutions/	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1
url:	http://secunia.com/advisories/35638/	Trust: 0.1
url:	http://secunia.com/advisories/about_secunia_advisories/	Trust: 0.1

sources: VULHUB: VHN-39717 // BID: 43764 // JVNDB: JVNDB-2009-004778 // PACKETSTORM: 78906 // CNNVD: CNNVD-200907-009 // NVD: CVE-2009-2271

CREDITS

Filip Palian filip.palian@pjwstk.edu.pl

Trust: 0.6

sources: CNNVD: CNNVD-200907-009

SOURCES

db:	VULHUB	id:	VHN-39717
db:	BID	id:	43764
db:	JVNDB	id:	JVNDB-2009-004778
db:	PACKETSTORM	id:	78906
db:	CNNVD	id:	CNNVD-200907-009
db:	NVD	id:	CVE-2009-2271

LAST UPDATE DATE

2025-04-10T23:16:26.725000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-39717	date:	2018-10-10T00:00:00
db:	BID	id:	43764	date:	2015-03-19T09:25:00
db:	JVNDB	id:	JVNDB-2009-004778	date:	2012-09-25T00:00:00
db:	CNNVD	id:	CNNVD-200907-009	date:	2009-07-15T00:00:00
db:	NVD	id:	CVE-2009-2271	date:	2025-04-09T00:30:58.490

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-39717	date:	2009-07-01T00:00:00
db:	BID	id:	43764	date:	2009-07-03T00:00:00
db:	JVNDB	id:	JVNDB-2009-004778	date:	2012-09-25T00:00:00
db:	PACKETSTORM	id:	78906	date:	2009-07-06T09:26:51
db:	CNNVD	id:	CNNVD-200907-009	date:	2009-06-30T00:00:00
db:	NVD	id:	CVE-2009-2271	date:	2009-07-01T13:00:01.517