A vulnerability classified as critical has been found in Huawei FusionSphere OpenStack (Cloud Software) (unknown version). Affected is an unknown code block. The manipulation with an unknown input leads to a risky encryption vulnerability. CWE is classifying the issue as CWE-327. The product uses a broken or risky cryptographic algorithm or protocol. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:

FusionSphere OpenStack V100R006C00SPC102(NFV)has a week cryptographic algorithm vulnerability. Attackers may exploit the vulnerability to crack the cipher text and cause information leak on the transmission links.

The bug was discovered 11/16/2017. The weakness was released 11/22/2017 (Website). The advisory is available at huawei.com. This vulnerability is traded as CVE-2017-8191 since 04/25/2017. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. The technical details are unknown and an exploit is not available. This vulnerability is assigned to T1600 by the MITRE ATT&CK project.

The vulnerability was handled as a non-public zero-day exploit for at least 6 days. During that time the estimated underground price was around $5k-$25k.

Upgrading eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at SecurityFocus (BID 102282†). Entries connected to this vulnerability are available at VDB-109923, VDB-109924, VDB-109925 and VDB-114812.

Productinfo

Type

• Cloud Software

Vendor

• Huawei

Name

• FusionSphere OpenStack

License

• commercial

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion