Security Advisory-Web server vulnerabilities on Huawei E585 pocket Wi-Fi 2 device

Affected Products:

E585u-82

Affected versions:

V100R001B106D00SP96C240

V100R001B106D00SP01C426

V100R001B106D00SP01C17

E585

Affected versions:

V100R001C84B503SP02

V100R001C64B503

V100R001C402B102SP01

V100R001C361B102

V100R001C326B102SP02

V100R001C308B102SP01

V100R001C09B102SP02

V100R001C323B505SP03

1. The authority authentication of admin has been bypassed.

Attackers can bypass the admin authority authentication to directly access the E585 file system through the local connection. After having obtained the devices, the illegal users can exploit this vulnerability to access the non-shared user data and the device data and can set the access configuration which may lead to the leak or tampering of the user privacy data and the device data (such as the session ID);

2. Devices do not restrict the access path.

The system has not strictly checked the validity of the file names and the paths of the files in the request command. Once this vulnerability has been exploited, attackers can access the internal partitions of devices through directory traversal or even modify the files inside the system partitions which can make the devices fail to be started normally or used.

The above-mentioned vulnerability can not be exploited from the WAN side.

The vulnerability classification has been performed by using the CVSSv2 scoring system

(http://www.first.org/cvss/).

1. HWNSIRT-2012-1029:

CVSS v2 Base Score: 4.8(AV:A/AC:L/Au:N/C:P/I:P/A:N)

CVSS v2 Temporal Score: 3.9 (E:F/RL:O/RC:C)

2. HWNSIRT-2012-1030:

CVSS v2 Base Score: 8.3(AV:A/AC:L/Au:N/C:C/I:C/A:C)

CVSS v2 Temporal Score: 6.9 (E:F/RL:O/RC:C)

Prerequisite of exploiting vulnerabilities to launch attacks:

It is necessary to connect to the devices through the WiFi or USB interface on the LAN side and to deliver commands to the devices by using the command line tool.

Vulnerability Description:

HWNSIRT-2012-1029

As E585 has not authenticated strictly the user login authority on the server, illegal users can bypass the admin authority authentication to access the protected files directly and modify the files. This can lead to the leak and tampering of the non-shared user data and the disclosure of the session ID, so attackers can configure the devices without the session ID authentication.

This vulnerability can only be exploited on the LAN side, and it cannot be exploited to launch attacks on the WAN side.

HWNSIRT-2012-1030

As the devices have not restricted the access path of the files, when users modify the path of the files manually, they can access the system files to further access the protected files or write arbitrary files into the system.

Before the system interface is invoked, the web server module of E585 has not strictly check the validity of the file names and the paths of the files which are contained in the request packets on the LAN side. So attackers can modify the file names and the paths of the files in the request packets manually, and access the protected files of the system or write arbitrary files into the system through directory traversal.

This vulnerability can only be exploited on the LAN side, and it cannot be exploited to launch attacks on the WAN side.

Solution:

1.  Add the authentication mechanism for the scenarios of access through command lines to the web server of E585 so as to check the login status of users;

2. Add the operation of the filtering of the access paths to files in the web server of E585, check whether there is the directory traversal symbol in the packets or not. If there is the directory traversal symbol, ignore the access. Check the file names which are accessed for matching to prevent users from accessing the files which they do not have the authority to access.

Version upgrade information and upgrade date:

This vulnerability information is obtained from CERT Coordination Center. We thank CERT Coordination Center and the vulnerability discoverer here for their attention to the vulnerabilities of Huawei products.

Huawei PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.

For security problems about Huawei products and solutions, please contactPSIRT@huawei.com.

For general problems about Huawei products and solutions, please directly contact Huawei TAC (Huawei Technical Assistance Center) to request the configuration or technical assistance.

2012-11-24 V1.0 INITIAL

Question 1: Can someone else exploit these vulnerabilities remotely through networks to perform the read-write operation on the board files?

Answer: These vulnerabilities can only be exploited through the local area network to make the read-write operation on the board files possible. The remote users cannot access the Web Server of board, so they cannot exploit these vulnerabilities remotely through networks.

Question 2: How can I identify the software version of the E585 I am using?

Answer: Locally access the address of the board gateway (the default address is 192.168.1.1) to log in to the Web UI. And check the software version under the menu of Advanced settings->System->Version.