A vulnerability, which was classified as critical, has been found in Huawei FusionSphere OpenStack (Cloud Software) (version unknown). Affected by this issue is an unknown function. The manipulation with an unknown input leads to a command injection vulnerability. Using CWE to declare the problem leads to CWE-77. The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. Impacted is confidentiality, integrity, and availability. CVE summarizes:

The FusionSphere OpenStack V100R006C00SPC102(NFV) has a command injection vulnerability. Due to the insufficient input validation on one port, an authenticated, local attacker may exploit the vulnerability to gain root privileges by sending message with malicious commands.

The bug was discovered 11/16/2017. The weakness was presented 11/22/2017 (Website). The advisory is shared for download at huawei.com. This vulnerability is handled as CVE-2017-8193 since 04/25/2017. The attack may be launched remotely. The successful exploitation requires a simple authentication. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1202.

The vulnerability was handled as a non-public zero-day exploit for at least 6 days. During that time the estimated underground price was around $5k-$25k.

Upgrading eliminates this vulnerability.

See 109930 for similar entry.

Productinfo

Type

• Cloud Software

Vendor

• Huawei

Name

• FusionSphere OpenStack

License

• commercial

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion