CVE-2016-2404

Name of the Vulnerable Software and Affected Versions Huawei S5700 versions V200R001C00SPC300 through V200R006C00 Huawei S6700 versions V200R001C00SPC300 through V200R006C00 Huawei S7700 versions V200R001C00SPC300 through V200R006C00 Huawei S9700 versions V200R001C00SPC300 through V200R006C00 Huawei S12700 versions V200R005C00SPC500 through V200R006C00 Huawei ACU2 versions V200R005C00SPC500 through V200R006C00

Description The issue is related to a permission control vulnerability in certain Huawei switches. When a switch has Authentication, Authorization, and Accounting (AAA) enabled for permission control and user permissions are not set correctly, AAA users may gain virtual type terminal (VTY) access permission. This can result in privilege escalation.

Recommendations For Huawei S5700 versions V200R001C00SPC300 through V200R006C00, ensure proper configuration of user permissions when using AAA for permission control. For Huawei S6700 versions V200R001C00SPC300 through V200R006C00, ensure proper configuration of user permissions when using AAA for permission control. For Huawei S7700 versions V200R001C00SPC300 through V200R006C00, ensure proper configuration of user permissions when using AAA for permission control. For Huawei S9700 versions V200R001C00SPC300 through V200R006C00, ensure proper configuration of user permissions when using AAA for permission control. For Huawei S12700 versions V200R005C00SPC500 through V200R006C00, ensure proper configuration of user permissions when using AAA for permission control. For Huawei ACU2 versions V200R005C00SPC500 through V200R006C00, ensure proper configuration of user permissions when using AAA for permission control.