CVE-2017-17250

Name of the Vulnerable Software and Affected Versions: Huawei AR120-S version V200R005C32 Huawei AR1200 version V200R005C32 Huawei AR1200-S version V200R005C32 Huawei AR150 version V200R005C32 Huawei AR150-S version V200R005C32 Huawei AR160 version V200R005C32 Huawei AR200 version V200R005C32 Huawei AR200-S version V200R005C32 Huawei AR2200-S version V200R005C32 Huawei AR3200 version V200R005C32 Huawei AR3200 versions V200R005C32 through V200R007C00 Huawei AR510 version V200R005C32 Huawei NetEngine16EX version V200R005C32 Huawei SRG1300 version V200R005C32 Huawei SRG2300 version V200R005C32 Huawei SRG3300 version V200R005C32

Description: The issue is caused by an out-of-bounds write vulnerability. When a user executes a query command after the device received an abnormal OSPF message, the software writes data past the end of the intended buffer due to the insufficient verification of the input data. An unauthenticated, remote attacker could exploit this by sending abnormal OSPF messages to the device. A successful exploit could cause the system to crash.

Recommendations: For Huawei AR120-S version V200R005C32, update to a fixed version. For Huawei AR1200 version V200R005C32, update to a fixed version. For Huawei AR1200-S version V200R005C32, update to a fixed version. For Huawei AR150 version V200R005C32, update to a fixed version. For Huawei AR150-S version V200R005C32, update to a fixed version. For Huawei AR160 version V200R005C32, update to a fixed version. For Huawei AR200 version V200R005C32, update to a fixed version. For Huawei AR200-S version V200R005C32, update to a fixed version. For Huawei AR2200-S version V200R005C32, update to a fixed version. For Huawei AR3200 version V200R005C32, update to a fixed version. For Huawei AR3200 versions V200R005C32 through V200R007C00, update to a fixed version. For Huawei AR510 version V200R005C32, update to a fixed version. For Huawei NetEngine16EX version V200R005C32, update to a fixed version. For Huawei SRG1300 version V200R005C32, update to a fixed version. For Huawei SRG2300 version V200R005C32, update to a fixed version. For Huawei SRG3300 version V200R005C32, update to a fixed version. As a temporary workaround, consider restricting access to the device to minimize the risk of exploitation. Avoid using the device until a patch is available.