CVE-2019-5280 - OpenCVE

The SIP TLS module of Huawei CloudLink Phone 7900 with V600R019C10 has a TLS certificate verification vulnerability. Due to insufficient verification of specific parameters of the TLS server certificate, attackers can perform man-in-the-middle attacks, leading to the affected phones registered abnormally, affecting the availability of IP phones.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Huawei	Cloudlink Phone 7900 Cloudlink Phone 7900 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:huawei:cloudlink_phone_7900_firmware:v600r019c10:*:*:*:*:*:*:*

cpe:2.3:h:huawei:cloudlink_phone_7900:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190724-01-7900-en

History

No history.

MITRE

Status: PUBLISHED

Assigner: huawei

Published: 2019-08-13T20:35:24

Updated: 2024-08-04T19:54:51.773Z

Reserved: 2019-01-04T00:00:00

Link: CVE-2019-5280

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-08-13T21:15:12.067

Modified: 2019-08-27T18:21:25.813

Link: CVE-2019-5280

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "CloudLink Phone 7900", "vendor": "Huawei", "versions": [{"status": "affected", "version": "V600R019C10"}]}], "descriptions": [{"lang": "en", "value": "The SIP TLS module of Huawei CloudLink Phone 7900 with V600R019C10 has a TLS certificate verification vulnerability. Due to insufficient verification of specific parameters of the TLS server certificate, attackers can perform man-in-the-middle attacks, leading to the affected phones registered abnormally, affecting the availability of IP phones."}], "problemTypes": [{"descriptions": [{"description": "TLS certificate verification", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-08-13T20:35:24", "orgId": "25ac1063-e409-4190-8079-24548c77ea2e", "shortName": "huawei"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190724-01-7900-en"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@huawei.com", "ID": "CVE-2019-5280", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "CloudLink Phone 7900", "version": {"version_data": [{"version_value": "V600R019C10"}]}}]}, "vendor_name": "Huawei"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The SIP TLS module of Huawei CloudLink Phone 7900 with V600R019C10 has a TLS certificate verification vulnerability. Due to insufficient verification of specific parameters of the TLS server certificate, attackers can perform man-in-the-middle attacks, leading to the affected phones registered abnormally, affecting the availability of IP phones."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "TLS certificate verification"}]}]}, "references": {"reference_data": [{"name": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190724-01-7900-en", "refsource": "CONFIRM", "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190724-01-7900-en"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T19:54:51.773Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190724-01-7900-en"}]}]}, "cveMetadata": {"assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e", "assignerShortName": "huawei", "cveId": "CVE-2019-5280", "datePublished": "2019-08-13T20:35:24", "dateReserved": "2019-01-04T00:00:00", "dateUpdated": "2024-08-04T19:54:51.773Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:huawei:cloudlink_phone_7900_firmware:v600r019c10:*:*:*:*:*:*:*", "matchCriteriaId": "E564A0A3-4240-4DB3-99DA-2C8E35A315E4", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:huawei:cloudlink_phone_7900:-:*:*:*:*:*:*:*", "matchCriteriaId": "946E376D-D857-4577-8DBC-DE788F91E124", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The SIP TLS module of Huawei CloudLink Phone 7900 with V600R019C10 has a TLS certificate verification vulnerability. Due to insufficient verification of specific parameters of the TLS server certificate, attackers can perform man-in-the-middle attacks, leading to the affected phones registered abnormally, affecting the availability of IP phones."}, {"lang": "es", "value": "El m\u00f3dulo SIP TLS del tel\u00e9fono Huawei CloudLink 7900 con V600R019C10 tiene una vulnerabilidad de verificaci\u00f3n de certificado TLS. Debido a la verificaci\u00f3n insuficiente de los par\u00e1metros espec\u00edficos del certificado del servidor TLS, los atacantes pueden realizar ataques de tipo man-in-the-middle , lo que lleva a que los tel\u00e9fonos afectados se registren de manera anormal, lo que afecta la disponibilidad de los tel\u00e9fonos IP."}], "id": "CVE-2019-5280", "lastModified": "2019-08-27T18:21:25.813", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-08-13T21:15:12.067", "references": [{"source": "psirt@huawei.com", "tags": ["Vendor Advisory"], "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190724-01-7900-en"}], "sourceIdentifier": "psirt@huawei.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}