This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our private policy>

Security Advisory-Web server vulnerabilities on Huawei E585 pocket Wi-Fi 2 device

  • SA No:Huawei-SA-20121124-1-E585
  • Initial Release Date: 2012-11-24
  • Last Release Date: 2012-11-24

HUAWEI E585 Wireless Modem is the terminal which can realize the high-speed wireless network access. The access is realized by the connection between USB interfaces and PCs or by the connection between WiFi and many wireless devices. In the network coverage area of HSPA/UMTS or EDGE/GPRS/GSM, users can enjoy the applications of wireless network access, short message communication, and sending and receiving emails. The current product has the following vulnerabilities:

1. E585 has not checked the login status of admin in the session , which leads to the vulnerability that can bypass the admin authority authentication to allow attackers to access the protected files and configure the devices (Vulnerability ID: HWNSIRT-2012-1029);

2. Before the system interface is invoked, the web server module of E585 has not strictly checked the validity of the file names and the paths of the files, which can allow attackers access the protected files on E585 through directory traversal and arbitrarily modify the files (Vulnerability ID: HWNSIRT-2012-1030).

Currently, workarounds are available and are detailed below.

Affected Products:

E585u-82

Affected versions:

V100R001B106D00SP96C240

V100R001B106D00SP01C426

V100R001B106D00SP01C17

E585

Affected versions:

V100R001C84B503SP02

V100R001C64B503

V100R001C402B102SP01

V100R001C361B102

V100R001C326B102SP02

V100R001C308B102SP01

V100R001C09B102SP02

V100R001C323B505SP03


1. The authority authentication of admin has been bypassed.

Attackers can bypass the admin authority authentication to directly access the E585 file system through the local connection. After having obtained the devices, the illegal users can exploit this vulnerability to access the non-shared user data and the device data and can set the access configuration which may lead to the leak or tampering of the user privacy data and the device data (such as the session ID);

2. Devices do not restrict the access path.

The system has not strictly checked the validity of the file names and the paths of the files in the request command. Once this vulnerability has been exploited, attackers can access the internal partitions of devices through directory traversal or even modify the files inside the system partitions which can make the devices fail to be started normally or used.

The above-mentioned vulnerability can not be exploited from the WAN side.



The vulnerability classification has been performed by using the CVSSv2 scoring system

(http://www.first.org/cvss/).

1. HWNSIRT-2012-1029:

CVSS v2 Base Score: 4.8(AV:A/AC:L/Au:N/C:P/I:P/A:N)

CVSS v2 Temporal Score: 3.9 (E:F/RL:O/RC:C)

2. HWNSIRT-2012-1030:

CVSS v2 Base Score: 8.3(AV:A/AC:L/Au:N/C:C/I:C/A:C)

CVSS v2 Temporal Score: 6.9 (E:F/RL:O/RC:C)

Prerequisite of exploiting vulnerabilities to launch attacks:

It is necessary to connect to the devices through the WiFi or USB interface on the LAN side and to deliver commands to the devices by using the command line tool.

Vulnerability Description:

HWNSIRT-2012-1029

As E585 has not authenticated strictly the user login authority on the server, illegal users can bypass the admin authority authentication to access the protected files directly and modify the files. This can lead to the leak and tampering of the non-shared user data and the disclosure of the session ID, so attackers can configure the devices without the session ID authentication.

This vulnerability can only be exploited on the LAN side, and it cannot be exploited to launch attacks on the WAN side.

HWNSIRT-2012-1030

As the devices have not restricted the access path of the files, when users modify the path of the files manually, they can access the system files to further access the protected files or write arbitrary files into the system.

Before the system interface is invoked, the web server module of E585 has not strictly check the validity of the file names and the paths of the files which are contained in the request packets on the LAN side. So attackers can modify the file names and the paths of the files in the request packets manually, and access the protected files of the system or write arbitrary files into the system through directory traversal.

This vulnerability can only be exploited on the LAN side, and it cannot be exploited to launch attacks on the WAN side.

Solution:

1.  Add the authentication mechanism for the scenarios of access through command lines to the web server of E585 so as to check the login status of users;

2. Add the operation of the filtering of the access paths to files in the web server of E585, check whether there is the directory traversal symbol in the packets or not. If there is the directory traversal symbol, ignore the access. Check the file names which are accessed for matching to prevent users from accessing the files which they do not have the authority to access.

Version upgrade information and upgrade date:

Product

Affected Version

Solved Version

Solved Time

E585u-82

V100R001B106D00SP96C240

V100R001B106D00SP97C240

2012-11-30

V100R001B106D00SP01C426

V100R001B106D00SP02C426

2012-11-30

V100R001B106D00SP01C17

V100R001B106D00SP02C17

2012-11-30

E585

V100R001C84B503SP02

V100R001C84B503SP03

2012-11-30

V100R001C64B503

V100R001C64B503SP01

2012-11-30

V100R001C402B102SP01

V100R001C402B102SP02

2012-11-30

V100R001C361B102

V100R001C361B102SP01

2012-11-30

V100R001C326B102SP02

V100R001C326B102SP03

2012-11-30

V100R001C308B102SP01

V100R001C308B102SP02

2012-11-30

V100R001C09B102SP02

V100R001C09B102SP03

2012-11-30

V100R001C323B505SP03

V100R001C323B505SP04

2012-11-30

 


Customers should contact Huawei TAC (Huawei Technical Assistance Center) to request the upgrades. For TAC contact information, please refer to Huawei worldwide website at http://www.huawei.com/en/security/psirt/report-vulnerabilities/index.htm.


This vulnerability information is obtained from CERT Coordination Center. We thank CERT Coordination Center and the vulnerability discoverer here for their attention to the vulnerabilities of Huawei products.

Huawei PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.

For security problems about Huawei products and solutions, please contactPSIRT@huawei.com.

For general problems about Huawei products and solutions, please directly contact Huawei TAC (Huawei Technical Assistance Center) to request the configuration or technical assistance.


2012-11-24 V1.0 INITIAL

Question 1: Can someone else exploit these vulnerabilities remotely through networks to perform the read-write operation on the board files?

Answer: These vulnerabilities can only be exploited through the local area network to make the read-write operation on the board files possible. The remote users cannot access the Web Server of board, so they cannot exploit these vulnerabilities remotely through networks.

Question 2: How can I identify the software version of the E585 I am using?

Answer: Locally access the address of the board gateway (the default address is 192.168.1.1) to log in to the Web UI. And check the software version under the menu of Advanced settings->System->Version.



This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.


Complete information for providing feedback on security vulnerability of Huawei products, getting support for Huawei security incident response services, and obtaining Huawei security vulnerability information, is available on Huawei's worldwide website at http://www.huawei.com/en/security/psirt/.