This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our private policy>

Security Advisory-Segment Fault When Parsing Http Request in Web server of E585

  • SA No:Huawei-SA-20121203-1-E585
  • Initial Release Date: 2012-12-03
  • Last Release Date: 2012-12-03

HUAWEI E585 Wireless Modem is the terminal which can realize the high-speed wireless network access. The access is realized by the connection between USB interfaces and PCs or by the connection between WiFi and many wireless devices. In the network coverage area of HSPA/UMTS or EDGE/GPRS/GSM, users can enjoy the applications of wireless network access, short message communication, and sending and receiving emails. The current product has the following vulnerabilities:

For some specific attacking packets (such as the packets sent by vulnerability scanning tools), as the check of the pointer value returned by string matching function is not enough when E585 is analyzing the HTTP request segments, pointer access errors occur and lead to the segment fault which can cause the device become unable to respond (Vulnerability ID: HWNSIRT-2012-1031).

We have made the version updating plan.

Affected Products:

E585u-82

Affected versions:

V100R001B106D00SP96C240

V100R001B106D00SP01C426

V100R001B106D00SP01C17

E585

Affected versions:   

V100R001C84B503SP02

V100R001C64B503

V100R001C402B102SP01

V100R001C361B102

V100R001C326B102SP02

V100R001C308B102SP01

V100R001C09B102SP02

V100R001C323B505SP03

The exploitation of this vulnerability may cause the device become unable to respond and fail to function normally.


The vulnerability classification has been performed by using the CVSSv2 scoring system

(http://www.first.org/cvss/).

CVSS v2 Base Score: 6.1(AV:A/AC:L/Au:N/C:N/I:N/A:C)

CVSS v2 Temporal Score: 4.8 (E:P/RL:O/RC:C)

Prerequisite of exploiting vulnerabilities to launch attacks:

The specific attacking tool (such as the command line tool or vulnerability scanning tool) needs to be connected to the devices through WiFi on the LAN side or through USB interfaces and the attacking packets are sent through this specific tool.

Detailed Vulnerability Description:

When E585 is analyzing some specific attacking packets (such as the packets which are sent by attackers when vulnerability scanning software scans the E585), the HTTP request segment in the packets can cause some character string pointer in the code (the return value of the character matching function and the character string pointer used in the login authentication function) be set to Null, and the code does not check whether the value of this point is null or not. Therefore, the access of programs to the null pointer leads to the segment fault, which can cause the devices become unable to respond and fail to function normally.

This vulnerability cannot be exploited to launch attacks on the WAN side.

Solutions:

When E585 is analyzing the HTTP request segments, make it check the return value of the character string matching function (the pointer) to prevent the pointer access errors.

Version upgrade information and upgrade date:

Product

Affected Version

Solved Version

Solved Time

E585u-82

V100R001B106D00SP96C240

V100R001B106D00SP97C240

2012-11-30

V100R001B106D00SP01C426

V100R001B106D00SP02C426

2012-11-30

V100R001B106D00SP01C17

V100R001B106D00SP02C17

2012-11-30

E585

V100R001C84B503SP02

V100R001C84B503SP03

2012-11-30

V100R001C64B503

V100R001C64B503SP01

2012-11-30

V100R001C402B102SP01

V100R001C402B102SP02

2012-11-30

V100R001C361B102

V100R001C361B102SP01

2012-11-30

V100R001C326B102SP02

V100R001C326B102SP03

2012-11-30

V100R001C308B102SP01

V100R001C308B102SP02

2012-11-30

V100R001C09B102SP02

V100R001C09B102SP03

2012-11-30

V100R001C323B505SP03

V100R001C323B505SP04

2012-11-30

 




















Customers should contact Huawei TAC (Huawei Technical Assistance Center) to request the upgrades. For TAC contact information, please refer to Huawei worldwide website at http://www.huawei.com/en/security/psirt/report-vulnerabilities/index.htm.


This vulnerability information is obtained from CERT Coordination Center. We thank CERT Coordination Center and the vulnerability discoverer here for their attention to the vulnerabilities of Huawei products.

Huawei PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.

For security problems about Huawei products and solutions, please contactPSIRT@huawei.com.

For general problems about Huawei products and solutions, please directly contact Huawei TAC (Huawei Technical Assistance Center) to request the configuration or technical assistance.


2012-12-3 V1.0 INITIAL

Question 1: Can someone else exploit this vulnerability remotely through networks?

Answer: This vulnerability can only be exploited through the local area network. The remote users cannot access the Web Server of board, so they cannot exploit this vulnerability remotely through networks.

Question 2: How can I identify the software version of the E585 I am using?

Answer: Locally access the address of the board gateway (the default address is 192.168.1.1) to log in to the Web UI. And check the software version under the menu of Advanced settings->System->Version.


This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.


Complete information for providing feedback on security vulnerability of Huawei products, getting support for Huawei security incident response services, and obtaining Huawei security vulnerability information, is available on Huawei's worldwide website at http://www.huawei.com/en/security/psirt/.