CVE-2020-1830

Vulnerability

A memory management error exists in the IPSec Module of Huawei NIP6800 versions V500R001C30, V500R001C60SPC500, and V500R005C00; Secospace USG6600 and USG9500 versions V500R001C30SPC200, V500R001C30SPC600, V500R001C60SPC500, and V500R005C00. When handling a specific message, the module performs a 1 byte out-of-bound read. No special configuration is required; the code path is reachable by default in the affected software versions [1].

Exploitation

An attacker with network access can send a specially crafted IPSec message to the affected device. No authentication is required, as the vulnerable message processing occurs before authentication. The precise sequence involves sending the crafted message to the IPSec interface, which triggers the out-of-bound read during parsing [1].

Impact

Successful exploitation leads to a 1 byte out-of-bound read, which may cause a memory access error that disrupts normal service. This can result in a denial-of-service condition, potentially affecting IPSec-related traffic processing. The vulnerability does not appear to allow privilege escalation or data exfiltration beyond the single-byte read [1].

Mitigation

Huawei has released fixed versions: upgrade to V500R005C20SPC300 or later. The advisory was published on 2020-02-12, and affected users should apply the upgrade as soon as possible. No workarounds are documented in the advisory, and this vulnerability is not listed on the CISA KEV catalog as of the advisory date [1].