The UAP2105 serves as a radio access device in the uBro solutions. As one of the AP series products developed on the basis of 3GPP R99/R4/R5/R6 FDD, the UAP2105 complies with the R8 HNB standard and provides Small Office and Home Office (SOHO) and home users with improved indoor coverage. With the UAP2105, indoor coverage holes can be eliminated and load sharing with the macro network can be achieved.
The level-2 BootROM of the UAP2105s delivered before April 2010 supports the serial port. No authentication is required to access the serial port or the VxWorks shell. Therefore, an attacker can access the shell through the serial port to execute VxWorks debugging commands, so as to view or modify the memory and files, leading to information leaks and system anomalies. (Vulnerability ID: HWPSIRT-2015-08021).
This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2015-6592.
Product Name
|
Affected Version
|
Resolved Product and Version
|
UAP2105
|
V300R011C01B028(BootRom)[2]
|
V300R012C00SPC160(BootRom) [1]
|
V300R011C01B030(BootRom)
|
V300R011C0SPC100(BootRom)
|
V300R011C01SPC110(BootRom)
|
[1] To upgrade the BootROM, the carrier customer needs to load a temporary software version, UAP2105_2105C01_2815_2835_2855V300R012C00SPC221. End users can contact the carrier to upgrade the UAP2105.
[2] For information about the BootROM versions, refer to the FAQ.
After accessing the VxWorks shell, an attacker can view or modify the memory and files, leading to information leaks and system anomalies.
The vulnerability classification has been performed by using the CVSSv2 scoring system (
http://www.first.org/cvss/).
Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
Temporal Score: 5.9 (E:F/RL:O/RC:C)
Overall Score: 5.9
After the attacker get the UAP2105 device, the attacker can remove the shell of the UAP2105, locate the pin of serial port and JTAG on the main board, and access the level-2 BootROM through the serial port. The serial port has no authentication mechanism. After accessing the VxWorks shell, the attacker can view or modify the memory and files, leading to information leaks and system anomalies.
This vulnerability was disclosed by Alexey Osipov and Alexander Zaitsev at the US Blackhat Conference in August.
For security problems about Huawei products and solutions, please contact
PSIRT@huawei.com.
For general problems about Huawei products and solutions, please directly contact Huawei TAC (Huawei Technical Assistance Center) to request the configuration or technical assistance.
2015-09-07 V1.1 UPDATE Add the CVE ID
2015-09-02 V1.0 INITIAL
Querying the BootROM Version Information:
Step 1 Log in to the AP Manager.
Step 2 Choose Configuration > Single Configuration, specify Serial NO., and then click Search to search for the AP.
Step 3 On the Single Configuration page, click Query to view the current L1 and L2 BootROM versions. L1 and L2 BootROM versions are displayed under X_0D1F7B_FirstBootROMVersion and X_0D1F7B_SecondBootROMVersion, respectively.
This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei. or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.
Complete information on providing feedback on security vulnerability of Huawei products, getting support for Huawei security incident response services, and obtaining Huawei security vulnerability information, is available on Huawei's worldwide website at
http://www.huawei.com/en/security/psirt/.