Huawei OceanStor 5600 V300R003C00 SSH Key hard-coded credentials

A vulnerability was found in Huawei OceanStor 5600 V300R003C00. It has been declared as critical. This vulnerability affects unknown code of the component SSH Key. The manipulation leads to hard-coded credentials. Using CWE to declare the problem leads to CWE-798. The bug was discovered 10/20/2016. The weakness was released 04/02/2017 as sa-20161017-01 (Website). The advisory is shared for download at huawei.com. This vulnerability was named CVE-2016-8754. The attack can be initiated remotely. There are no technical details available. There is no exploit available. The current price for an exploit might be approx. USD $0-$5k at the moment. The MITRE ATT&CK project declares the attack technique as T1110.001. It is declared as not defined. The vulnerability was handled as a non-public zero-day exploit for at least 164 days. As 0-day the estimated underground price was around $5k-$25k. It is recommended to applying a restrictive firewalling. A possible mitigation has been published even before and not after the disclosure of the vulnerability. The vulnerability is also documented other vulnerability databases: SecurityFocus (BID 93607).

Field04/03/2017 09:02 AM08/25/2020 07:44 AM11/24/2022 02:06 PM
cvss2_nvd_iiPPP
cvss2_nvd_aiPPP
cvss3_meta_basescore7.47.47.4
cvss3_meta_tempscore7.27.27.3
cvss3_vuldb_basescore7.37.37.3
cvss3_vuldb_tempscore7.17.17.1
cvss3_vuldb_avNNN
cvss3_vuldb_acLLL
cvss3_vuldb_prNNN
cvss3_vuldb_uiNNN
cvss3_vuldb_sUUU
cvss3_vuldb_cLLL
cvss3_vuldb_iLLL
cvss3_vuldb_aLLL
cvss3_nvd_avAAA
cvss3_nvd_acHHH
cvss3_nvd_prNNN
cvss3_nvd_uiNNN
cvss3_nvd_sUUU
cvss3_nvd_cHHH
cvss3_nvd_iHHH
cvss3_nvd_aHHH
date1491091200 (04/02/2017)1491091200 (04/02/2017)1491091200 (04/02/2017)
urlhttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20161017-01-storage-enhttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20161017-01-storage-enhttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20161017-01-storage-en
price_0day$5k-$25k$5k-$25k$5k-$25k
nameFirewallFirewallFirewall
cveCVE-2016-8754CVE-2016-8754CVE-2016-8754
cve_assigned1476748800 (10/18/2016)1476748800 (10/18/2016)1476748800 (10/18/2016)
cve_nvd_published149109120014910912001491091200
cve_nvd_summaryHuawei OceanStor 5600 V3 V300R003C00 has a hardcoded SSH key vulnerability; the hardcoded keys are used to encrypt communication data and authenticate different nodes of the devices. An attacker may obtain the hardcoded keys and log in to such a device through SSH.Huawei OceanStor 5600 V3 V300R003C00 has a hardcoded SSH key vulnerability; the hardcoded keys are used to encrypt communication data and authenticate different nodes of the devices. An attacker may obtain the hardcoded keys and log in to such a device through SSH.Huawei OceanStor 5600 V3 V300R003C00 has a hardcoded SSH key vulnerability; the hardcoded keys are used to encrypt communication data and authenticate different nodes of the devices. An attacker may obtain the hardcoded keys and log in to such a device through SSH.
securityfocus936079360793607
securityfocus_titleHuawei OceanStor 5800 V3 Hardcoded SSH Key Security Bypass VulnerabilityHuawei OceanStor 5800 V3 Hardcoded SSH Key Security Bypass VulnerabilityHuawei OceanStor 5800 V3 Hardcoded SSH Key Security Bypass Vulnerability
locationWebsiteWebsiteWebsite
cvss2_vuldb_eNDNDND
cvss2_vuldb_rlWWW
cvss2_vuldb_rcNDNDND
cvss3_vuldb_eXXX
cvss3_vuldb_rlWWW
cvss3_vuldb_rcXXX
0day_days164164164
cvss3_nvd_basescore7.57.57.5
vendorHuaweiHuaweiHuawei
nameOceanStor 5600OceanStor 5600OceanStor 5600
versionV300R003C00V300R003C00V300R003C00
componentSSH KeySSH KeySSH Key
cwe798 (hard-coded credentials)798 (hard-coded credentials)798 (hard-coded credentials)
risk222
historic000
cvss2_vuldb_basescore6.86.86.8
cvss2_vuldb_tempscore6.56.56.5
cvss2_vuldb_avNNN
cvss2_vuldb_acMMM
cvss2_vuldb_auNNN
cvss2_vuldb_ciPPP
cvss2_vuldb_iiPPP
cvss2_vuldb_aiPPP
cvss2_nvd_avAAA
cvss2_nvd_acMMM
cvss2_nvd_auNNN
cvss2_nvd_ciPPP
confirm_urlhttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20161017-01-storage-enhttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20161017-01-storage-en
osvdb_titleCVE-2016-8754 - Huawei - OceanStor 5600 V3 - Hardcoded Credentials IssueCVE-2016-8754 - Huawei - OceanStor 5600 V3 - Hardcoded Credentials Issue
securityfocus_date1476662400 (10/17/2016)1476662400 (10/17/2016)
securityfocus_classDesign ErrorDesign Error
discoverydate14769216001476921600
identifiersa-20161017-01
cvss2_nvd_basescore5.4

Want to stay up to date on a daily basis?

Enable the mail alert feature now!