CVE-2017-17299

Vulnerability

An insufficient input validation vulnerability exists in the IKE V2 message handling of multiple Huawei products, including AR120-S, AR1200, AR1200-S, AR150, AR150-S, AR160, AR200, AR200-S, AR2200, AR2200-S, AR3200, AR3600, AR510, IPS Module V500R001C30, NIP6300 V500R001C30, and NetEngine16EX. The affected versions include V200R006C10, V200R006C11, V200R006C12, V200R006C13, V200R006C15, V200R006C16, V200R006C17, V200R007C00, V200R007C00S, V200R007C02, V200R008C20, and others as listed in the advisory [1]. An unauthenticated, remote attacker can send crafted IKE V2 messages to the device, and due to incomplete validation, the messages trigger invalid memory access, leading to a denial of service.

Exploitation

An attacker does not require any prior authentication or network proximity beyond IP connectivity to the target device. The attacker crafts specific IKE V2 packets and sends them to the affected Huawei product. The software lacks proper input validation on these messages, so processing them causes an invalid memory access condition. No user interaction or special privileges are needed [1].

Impact

Successful exploitation results in a denial of service. The invalid memory access disrupts device operation, potentially causing crashes or service interruptions on the router or network security appliance. Confidentiality and integrity are not directly compromised according to the advisory [1].

Mitigation

Huawei has released software updates to fix this vulnerability. The resolved versions are listed per product in the advisory; for example, AR120-S V200R006C10SPC300 is resolved in V200R008SPH003. The advisory was published 2017-12-15 and updated 2020-09-16 [1]. Users should upgrade to the specified resolved versions or later. If upgrading is not possible, applying access control lists to restrict IKE V2 traffic from untrusted sources may reduce risk until a patch can be applied.