This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy
Branch Intelligent Management System (BIMS) and Web management is provided by Huawei for network and device management.
Both BIMS and Web management use HTTP. Therefore, to use BIMS and Web management, you must enable HTTP. Attackers can make heap overflow by sending malformed HTTP Response messages with shellcode encoded. Attackers can remotely execute shellcode (Vulnerability ID: HWNSIRT-2012-0805).
This vulnerability was first reported by Felix Lindner of Recurity Labs GmbH.
Currently, workarounds are available and are detailed below.
1. Affected Products:
AR 19/29/49 R2207 earlier versions
AR 28/46 R0311 and earlier versions
AR 18-3x R0118 and earlier versions
AR 18-2x R1712 and earlier versions
AR18-1x R0130 and earlier versions
Affected versions:
S2000 series, S3000 series, S3500 series, S3900 series, S5100 series and S5600 series switches
S7800 series switches with R6305 version or later version
S8500 series switches with the version R1631
S8500 series switches with the version R1632
2. Not affected products:
Not Affected versions:
AR G3 (AR 200/1200/2200/3200)
AR19/29/49 R2207 and later versions
Not Affected versions:
S6500 series switches
S7800 series switches with R6105 version
S2300&3300&5300&6300&9300 series switches
S8500 series swithes with version earlier R1631
S8500 series swithes with version later R1632
S2700&3700&5700&6700&7700&9700 series switches
By exploiting the vulnerability, attackers can execute injected arbitrary commands on the device.
The vulnerability classification has been performed by using the CVSSv2 scoring system
(http://www.first.org/cvss/).
Buffer Overflow on Heap when parsing HTTP Response:
Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Temporal Score: 9.0 (E:H/RL:T/RC:C)
Both the following conditions must be satisfied:
1. The HTTP management interface is in the "Up" state. (By default, this interface is enabled).
2. The IP address of the management interface is reachable.
When parsing HTTP response messages, the device allocates memory based on the values of the Content-Length field in the HTTP response messages, and does not check the length of the Content field but directly copies it into the heap by using the strcpy() function.
When the value of the Content-Length field is shorter than the actual length of the Content field, heap overflow will occur, resulting in remotely shellcode execution.
Scenario 1: When neither Web management nor Branch Intelligent Management System (BIMS) is used for remote configuration.
Workarounds: Connect to the device using SSH and shut down the HTTP port and disable BIMS service. The detailed configuration is as follows:
AR 18/28/46:
[Quidway] ip http shutdown
[Quidway] undo bims enable
AR 19/29/49:
[Quidway] undo ip http enable
S2000 series, S3000 series, S3500 series, S3900 series, S5100 series and S5600 series switches:
[Quidway] ip http shutdown (If this command is not supported by one specified switch with one specified version, it indicates the security vulnerability described here does not exist in this switch with this version, and no workaround is necessary to be implemented)
S7800 series switches:
[Quidway] undo ip http enable
Scenario 2: Web management or BIMS is used for remote vulnerable device configuration.
Workarounds: Connect to the device using SSH and set ACL rules to restrict source IP addresses for HTTP establishment. The detailed configuration is as follows:
AR 18/28/46:
[Quidway] acl number 2001
[Quidway-acl-basic-2001] rule 0 permit source 1.1.1.1 0
[Quidway-acl-basic-2001]rule 5 deny
[Quidway]ip http acl 2001
AR 19/29/49:
[Quidway] acl number 2001
[Quidway-acl-basic-2001] rule 0 permit source 1.1.1.1 0
[Quidway-acl-basic-2001]rule 5 deny
[Quidway]ip http acl 2001
S2000 series, S3000 series, S3500 series, S3900 series, S5100 series and S5600 series switches:
[Quidway] acl number 2001
[Quidway-acl-basic-2001] rule 0 permit source 1.1.1.1 0
[Quidway-acl-basic-2001]rule 5 deny
[Quidway]ip http acl 2001 (If this command is not supported by one specified switch with one specified version, it indicates the security vulnerability described here does not exist in this switch with this version, and no workaround is necessary to be implemented)
S7800 series switches
[Quidway] acl number 2001
[Quidway-acl-basic-2001] rule 0 permit source 1.1.1.1 0
[Quidway-acl-basic-2001]rule 5 deny
[Quidway]ip http acl 2001
Scenario 3:Web management is not supported, but HTTP service port is open.
Workarounds: Shut down the HTTP port. The detailed configuration is as follows:
S8500 series switches:
[Quidway] ip http shutdown
AR 18/28/46:
Deploy workarounds mentioned above to mitigate the risks, and there is no new version or patch to be released.
AR 19/29/49:
Deploy workarounds mentioned above to mitigate the risks, or upgrade to AR 19/29/49 R2207 or later versions.
S2000 series, S3000 series, S3500 series, S3900 series, S5100 series, S5600 series and S7800 series switches:
Deploy workarounds mentioned above to mitigate the risks, and there is no new version or patch to be released.
S8500 series switches:
Deploy workarounds mentioned above to mitigate the risks, or upgrade the S8500 to R1640 or later versions.
AR 19/29/49:
S8500 series switches:
This vulnerability is reported by Recurity Labs GmbH. The Huawei PSIRT is not aware of any public or malicious use launch to attack through the vulnerability described in this advisory.
For security problems about Huawei products and solutions, please contactPSIRT@huawei.com.
For general problems about Huawei products and solutions, please directly contact Huawei TAC (Huawei Technical Assistance Center) to request the configuration or technical assistance.
2012-8-4 V1.0 INITIAL
2012-8-8 V1.1 UPDATE update affected versions
2012-8-9 V1.2 UPDATE update affected product: Huawei switches and replace the Huawei-SA-20120804-03-AR;
2012-8-14 V1.3 UPDATE update affected Swithes version and workaround description ;
Question 1: Can someone else exploit these vulnerabilities remotely through networks to perform the read-write operation on the board files?
Answer: These vulnerabilities can only be exploited through the local area network to make the read-write operation on the board files possible. The remote users cannot access the Web Server of board, so they cannot exploit these vulnerabilities remotely through networks.
Question 2: How can I identify the software version of the E585 I am using?
Answer: Locally access the address of the board gateway (the default address is 192.168.1.1) to log in to the Web UI. And check the software version under the menu of Advanced settings->System->Version.