安全预警 - OpenSSL DROWN安全漏洞
- 预警编号:huawei-sa-20160330-01-openssl
- 初始发布时间: 2016年03月30日
- 更新发布时间: 2022年01月10日
OpenSSL官方于2016年3月1日发布的安全公告中,公开了一个新的高危安全漏洞“DROWN攻击漏洞”(CVE-2016-0800)。
该漏洞是由于使用了SSLv2协议,攻击者可以通过中间人或者网络节点抓包窃取SSL的会话秘钥,通过解密加密流量获取用户敏感信息。(Vulnerability ID: HWPSIRT-2016-03007)
此漏洞的CVE编号为:CVE-2016-0800。
华为部分产品已发布版本修复该漏洞。安全预警链接:
http://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20160330-01-openssl-cn
|
产品名称 |
版本号 |
修复版本号 |
|
Agile Controller-Campus |
V100R001C00 |
Upgrade to V100R002C00SPC105 |
|
V100R002C00 |
V100R002C00SPC105 |
|
|
BH620 V2 |
V100R002C00 |
V100R002C00SPC200 |
|
BH621 V2 |
V100R002C00 |
V100R002C00SPC200 |
|
BH622 V2 |
V100R002C00 |
V100R002C00SPC300 |
|
BH640 V2 |
V100R002C00 |
V100R002C00SPC300 |
|
Campus Controller |
V100R001C00B001 |
Agile Controller-Campus V100R002C00SPC105 |
|
CH121 |
V100R001C00 |
V100R001C00SPC260 |
|
CH140 |
V100R001C00 |
V100R001C00SPC260 |
|
CH220 |
V100R001C00 |
V100R001C00SPC260 |
|
CH221 |
V100R001C00 |
V100R001C00SPC260 |
|
CH222 |
V100R002C00 |
V100R001C00SPC260 |
|
CH240 |
V100R001C00 |
V100R001C00SPC260 |
|
CH242 |
V100R001C00 |
V100R001C00SPC260 |
|
CSS |
CSS V100R001C00 |
OceanStor 9000 V100R001C30SPC200 |
|
E9000 Chassis |
V100R001C00 |
V100R001C00SPC290 |
|
eSight Network |
V300R003C10 |
Upgrade to V300R003C20SPC105 |
|
V300R003C20 |
V300R003C20SPC105 |
|
|
eSight UC&C |
eSight UC&C V100R001C01 |
eSight Network V300R003C20SPC105 |
|
eSight UC&C V100R001C20 |
||
|
FusionManager |
V100R003C10 |
Upgrade to V100R005C10SPC700 |
|
FusionStorage DSware |
V100R003C30 |
V100R003C30SPC200 |
|
FusionStorage |
V100R003C00SPC300 |
V100R003C00SPC308 |
|
V100R003C02SPC300 |
V100R003C02SPC306 |
|
|
HiSTBAndroid |
V600R001C00SPC060 |
Upgrade to V600R002SPC030 |
|
HUAWEI Tecal E6000 |
HUAWEI Tecal E6000 V100R001C01 |
E6000 Chassis V100R001C00SPC500 |
|
OceanStor 9000 |
V100R001C01 |
Upgrade to V100R001C30SPC200 |
|
V100R001C30 |
V100R001C30SPC200 |
|
|
OceanStor 9000E |
OceanStor 9000E V100R001C01 |
OceanStor 9000 V100R001C30SPC200 |
|
OceanStor 9000E V100R001C05 |
||
|
OceanStor 9000E V100R002C00 |
||
|
OceanStor 9000E V100R002C01 |
||
|
OceanStor 9000E V100R002C02 |
||
|
OceanStor N8500 |
V200R001C10 |
Upgrade to V200R002C00SPC102 |
|
V200R002C00 |
V200R002C00SPC102 |
|
|
Policy Center |
Policy Center V100R003C00 |
Agile Controller-Campus V100R002C00SPC105 |
|
Policy Center V100R003C10 |
||
|
Public Cloud Solution |
Public Cloud Solution V100R001C00 |
Public Cloud Solution 0-DT 1.0.0 |
|
RH1288 V2 |
V100R002C00 |
V100R002C00SPC602 |
|
RH2285 V2 |
V100R002C00 |
V100R002C00SPC300 |
|
RH2285H V2 |
V100R002C00 |
V100R002C00SPC500 |
|
RH2288 V2 |
V100R002C00 |
V100R002C00SPC500 |
|
RH2288E V2 |
V100R002C00 |
V100R002C00SPC200 |
|
RH2288H V2 |
V100R002C00 |
V100R002C00SPC602 |
|
RH2485 V2 |
V100R002C00 |
V100R002C00SPC601 |
|
RH5885 V2 |
V100R001C00 |
Upgrade to V100R001C02SPC302 |
|
V100R001C01 |
||
|
V100R001C02 |
V100R001C02SPC302 |
|
|
RH5885 V3 |
V100R003C00 |
Upgrade to V100R003C01SPC111 |
|
RH5885H V3 |
V100R003C00 |
V100R003C00SPC113 |
|
X6000 |
X6000 V100R002C00 |
XH320 V2 V100R001C00SPC200 |
|
UPS2000 |
V100R001C10SPC500 |
Upgrade to V100R021C92SPC050 |
|
V100R001C10SPC600 |
||
|
SMU(02S) |
V500R001C60 |
Upgrade to SMU V500R003C00SPC031 |
|
V500R001C50 |
||
|
V500R002C00 |
||
|
V500R002C10 |
||
|
V500R002C20 |
||
|
V500R002C30 |
||
|
SMU(02B) |
V300R002C10 |
Upgrade to SMU V500R002C20SPC961 |
|
V300R002C20 |
||
|
V300R003C00 |
||
|
V300R003C10 |
||
|
V300R003C91 |
||
|
V300R003C93 |
||
|
V500R001C00 |
||
|
V500R001C10 |
||
|
V500R001C20 |
||
|
SMU(02C) |
V500R001C60 |
Upgrade to SMU V500R003C00SPC031 |
|
V500R001C20 |
||
|
V500R001C30 |
||
|
V500R001C50 |
||
|
V500R002C00 |
||
|
V500R002C10 |
||
|
V500R002C20 |
||
|
V500R002C30 |
||
|
V500R002C50 |
||
| ECC500 |
ECC500 V600R001C00 |
ECC500 V600R001C03SPC102 |
| ECC500 V600R001C03 |
||
| ACC |
ACC V100R002C00SPC100 |
ACC V100R002C00SPC710 |
| ACC V100R002C00SPC200 |
||
| ACC V100R002C00SPC300 |
||
| ACC V100R002C00SPC400 |
||
| ACC V100R002C00SPC500 |
||
| ACC V100R002C00SPC600 |
||
| ACC V200R001C00SPC100 |
||
| ACC V200R001C00SPC200 |
||
| ACC V200R001C00SPC300 |
||
| ACC V200R001C10SPC100 |
ACC V200R001C30SPC290 |
|
| ACC V200R001C11SPC100 |
ACC V200R001C11SPC300 |
攻击者利用这个漏洞,可以获取系统敏感信息。
漏洞使用CVSSv2计分系统进行分级(http://www.first.org/cvss/)
基础得分:4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
临时得分:3.6 (E:F/RL:O/RC:C)
设备使用了受影响的Openssl,并且支持(enable)SSLv2,同时使用了RSA秘钥交换加密套(RSA key exchange cipher suites)
2. 攻击步骤:
由于使用了SSLv2协议,攻击者可以通过中间人或者网络节点抓包窃取SSL的会话秘钥,通过解密加密流量获取用户敏感信息。
更多详情请参考如下链接:
https://www.openssl.org/blog/blog/2016/03/01/an-openssl-users-guide-to-drown/
无
用户可以通过华为TAC (Huawei Technical Assistance Center)获取补丁/更新版本。
TAC的联系方式见链接http://www.huawei.com/cn/psirt/report-vulnerabilities。
该漏洞是由OpenSSL官网发布。
2022-01-10 V1.4 UPDATE Update the affected product list and fixed version
2020-12-30 V1.3 UPDATE Update the affected product list and fixed version
2016-05-18 V1.2 UPDATE Update the affected product list and fixed version
2016-04-27 V1.1 UPDATE Update the affected product list and fixed version
2016-03-30 V1.0 INITIAL
无
华为一贯主张尽全力保障产品用户的最终利益,遵循负责任的安全事件披露原则,并通过产品安全问题处理机制处理产品安全问题。
获取华为公司安全应急响应服务及华为产品漏洞信息,请访问http://www.huawei.com/cn/psirt。
反馈华为产品和解决方案安全问题,请反馈至华为PSIRT邮箱PSIRT@huawei.com,详情参考http://www.huawei.com/cn/psirt/report-vulnerabilities。
