Technical Announcement on Command Injection Vulnerability in SecPath ACG1000 Series Products
- 0 Followed
- 0Collected ,2386Browsed
Product Model
|
Announcement category |
Mandatory immediate rectification |
|
Scope of rectification |
The entire network |
|
Rectification deadline |
2024/3/31 |
|
Operational requirements |
Security reinforcement, Version upgrade |
I.
Involves ACG1000 series products, detailed models are shown in the table below.
Involved Version
|
Product Model |
Involving problem version |
Problem solving version |
|
ACG1000-AE ACG1000-AK230 ACG1000-AK250 ACG1000-EE ACG1000-ME ACG1000-SE ACG1000-TE |
R6611 (included) ~ R6611P18 (not included) R6612 (included) ~ R6612P04 (not included) |
Upgrade to R6614P11 or later version |
Problem Description
When the above model devices use the above version, there is a command injection vulnerability. Attackers can use this vulnerability to inject related malicious code tools and affect the business.
Cause Analysis
When the http or https service is enabled on the above-mentioned device, there is a command injection vulnerability. The attacker can use this vulnerability to inject relevant malicious code tools. This malicious code tool can be used to carry out DDOS attacks, consuming device CPU and bandwidth resources, resulting in business packet loss.
Workaround/Solutions
1. Workaround:
To harden the security of the existing network, it is recommended to disable non-essential services such as http, https, telnet and ssh on the external network port with public IP at the site, and access the equipment through the bastion or springboard machine, or access the devices after VPN encryption.
2. Solutions:
Problems can be prevented by upgrading to the problem-solving version in the table.
Please follow the version usage specification for version upgrade at each site.