Security Advisory-Two Security Vulnerabilities in the ME906 Wireless Module
- SA No:Huawei-SA-20150805-01-ME906
- Initial Release Date: Aug 05, 2015
- Last Release Date: Nov 19, 2015
ME906 is a mobile Internet access module. The module supports LTE, WCDMA, EVDO, and GSM. The product uses the M.2 interface, supports Windows 7 and Windows 8.1, and is intended for laptop and tablet OEM.
This security advisory (SA) describes the impact of two vulnerabilities. These vulnerabilities are referenced in this document as follows:
The upgrade package of the ME906 wireless module contains the hash values of the root account and password. An attacker can obtain the password of the root account through reverse cracking, connect to the serial port of the wireless module, and enter the root account and password to log in to the operating system of the module. (HWPSIRT-2015-02009)
This Vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2015-5367.
This module implements upgrade check using CRC16, which is insecure. Much study is done for reversely cracking this algorithm. (HWPSIRT-2015-06032)
This Vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2015-5368.
|
Product Name |
Affected Version |
Solved version |
|
ME906E |
Earlier than ME906ETCPU-V100R002B500D00SP13C1803 versions |
ME906ETCPU-V100R002B500D00SP13C1803 |
|
ME906V |
Earlier than ME906VTCPU-V100R002B430D28SP01C00 versions |
ME906VTCPU-V100R002B430D28SP01C00 |
|
ME906J |
ME906JTCPU-V100R002B430D28SP00C00 and earlier versions |
ME906JTCPU-V100R002B430D28SP01C00 ME906JTCPU-V100R002B430D28SP02C00 |
Note:If the end user requests a version upgrade, please contact the vendor to upgrade the version and fix the vulnerability.
HWPSIRT-2015-02009: An attacker can exploit this vulnerability to obtain the root permission, access the system by connecting the serial port, and view or modify configuration.
HWPSIRT-2015-06032: An attacker can exploit this vulnerability to tamper with the upgrade package, leading to an upgrade failure or the upgrade of an incorrect package. As a result, services may become unavailable.The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/).
HWPSIRT-2015-02009:
Base Score: 6.9 (L/AC:M/Au:N/C:C/I:C/A:C)
Temporal Score: 5.7 (E:F/RL:O/RC:C)
HWPSIRT-2015-06032:
Base Score: 7.8(AV:N/AC:M/Au:N/C:N/I:P/A:C)
Temporal Score: 6.5 (E:F/RL:O/RC:C)
HWPSIRT-2015-02009:
The upgrade package of the ME906 wireless module contains the hash values of the root account and password. An attacker can obtain the password of the root account through reverse cracking.
The ME906 wireless module provides a debugging serial port at the rear for troubleshooting, opening a way for physical cracking by hackers. The hackers can connect to the serial port of the wireless module, and enter the root account and password to log in to the operating system of the module.
HWPSIRT-2015-06032:
This module implements upgrade check using CRC16, which is insecure. Much study is done for reversely cracking this algorithm. Hackers may change or add a code segment to the upgrade file, recalculate a CRC value, and tamper with the firmware of this module through CRC check during upgrade.
This vulnerability was reported privately to Huawei by Mickey Shkatov from Intel Advanced Threat Research Team and Jesse Michael from Intel. Huawei expresses our appreciation for Mickey Shkatov’s and Jesse Michael’s coordinated vulnerability disclosure with Huawei.
Huawei PSIRT is not aware of any malicious use of the vulnerabilities described in this advisory.
For security problems about Huawei products and solutions, please contactPSIRT@huawei.com.
For general problems about Huawei products and solutions, please directly contact Huawei TAC (Huawei Technical Assistance Center) to request the configuration or technical assistance.
2015-11-19 V1.1 UPDATE Updated the “Software Versions and Fixes” element
2015-08-05 V1.0 INITIAL
None
