CVE-2019-5280 - OpenCVE

The SIP TLS module of Huawei CloudLink Phone 7900 with V600R019C10 has a TLS certificate verification vulnerability. Due to insufficient verification of specific parameters of the TLS server certificate, attackers can perform man-in-the-middle attacks, leading to the affected phones registered abnormally, affecting the availability of IP phones.

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Huawei	Cloudlink Phone 7900 Firmware Cloudlink Phone 7900

Configuration 1 [-]

AND

cpe:2.3:o:huawei:cloudlink_phone_7900_firmware:v600r019c10:*:*:*:*:*:*:*

cpe:2.3:h:huawei:cloudlink_phone_7900:-:*:*:*:*:*:*:*

References

Link	Resource
https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190724-01-7900-en	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: huawei

Published: 2019-08-13T20:35:24

Updated: 2019-08-13T20:35:24

Reserved: 2019-01-04T00:00:00

Link: CVE-2019-5280

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-08-13T21:15:12.067

Modified: 2019-08-27T18:21:25.813

Link: CVE-2019-5280

JSON object: View

Redhat Information

No data.

CWE

CWE-295

{"containers": {"cna": {"affected": [{"product": "CloudLink Phone 7900", "vendor": "Huawei", "versions": [{"status": "affected", "version": "V600R019C10"}]}], "descriptions": [{"lang": "en", "value": "The SIP TLS module of Huawei CloudLink Phone 7900 with V600R019C10 has a TLS certificate verification vulnerability. Due to insufficient verification of specific parameters of the TLS server certificate, attackers can perform man-in-the-middle attacks, leading to the affected phones registered abnormally, affecting the availability of IP phones."}], "problemTypes": [{"descriptions": [{"description": "TLS certificate verification", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-08-13T20:35:24", "orgId": "25ac1063-e409-4190-8079-24548c77ea2e", "shortName": "huawei"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190724-01-7900-en"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@huawei.com", "ID": "CVE-2019-5280", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "CloudLink Phone 7900", "version": {"version_data": [{"version_value": "V600R019C10"}]}}]}, "vendor_name": "Huawei"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The SIP TLS module of Huawei CloudLink Phone 7900 with V600R019C10 has a TLS certificate verification vulnerability. Due to insufficient verification of specific parameters of the TLS server certificate, attackers can perform man-in-the-middle attacks, leading to the affected phones registered abnormally, affecting the availability of IP phones."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "TLS certificate verification"}]}]}, "references": {"reference_data": [{"name": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190724-01-7900-en", "refsource": "CONFIRM", "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190724-01-7900-en"}]}}}}, "cveMetadata": {"assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e", "assignerShortName": "huawei", "cveId": "CVE-2019-5280", "datePublished": "2019-08-13T20:35:24", "dateReserved": "2019-01-04T00:00:00", "dateUpdated": "2019-08-13T20:35:24", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:huawei:cloudlink_phone_7900_firmware:v600r019c10:*:*:*:*:*:*:*", "matchCriteriaId": "E564A0A3-4240-4DB3-99DA-2C8E35A315E4", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:huawei:cloudlink_phone_7900:-:*:*:*:*:*:*:*", "matchCriteriaId": "946E376D-D857-4577-8DBC-DE788F91E124", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "The SIP TLS module of Huawei CloudLink Phone 7900 with V600R019C10 has a TLS certificate verification vulnerability. Due to insufficient verification of specific parameters of the TLS server certificate, attackers can perform man-in-the-middle attacks, leading to the affected phones registered abnormally, affecting the availability of IP phones."}, {"lang": "es", "value": "El m\u00f3dulo SIP TLS del tel\u00e9fono Huawei CloudLink 7900 con V600R019C10 tiene una vulnerabilidad de verificaci\u00f3n de certificado TLS. Debido a la verificaci\u00f3n insuficiente de los par\u00e1metros espec\u00edficos del certificado del servidor TLS, los atacantes pueden realizar ataques de tipo man-in-the-middle , lo que lleva a que los tel\u00e9fonos afectados se registren de manera anormal, lo que afecta la disponibilidad de los tel\u00e9fonos IP."}], "id": "CVE-2019-5280", "lastModified": "2019-08-27T18:21:25.813", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-08-13T21:15:12.067", "references": [{"source": "psirt@huawei.com", "tags": ["Vendor Advisory"], "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190724-01-7900-en"}], "sourceIdentifier": "psirt@huawei.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}