Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Huawei E585 pocket wifi 2 device contains multiple vulnerabilities
Informations
Name VU#871148 First vendor Publication 2012-12-13
Vendor VU-CERT Last vendor Modification 2012-12-13
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:A/AC:L/Au:N/C:N/I:N/A:C)
Cvss Base Score 6.1 Attack Range Adjacent network
Cvss Impact Score 6.9 Attack Complexity Low
Cvss Expoit Score 6.5 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#871148

Huawei E585 pocket wifi 2 device contains multiple vulnerabilities

Original Release date: 13 Dec 2012 | Last revised: 13 Dec 2012

Overview

The Huawei E585 pocket wifi 2 device contains multiple vulnerabilities which could allow an attacker to perform administrative functions on the device.

Description

The Huawei E585 pocket wifi 2 device contains multiple vulnerabilities which could allow an attacker to perform administrative functions on the device.

    1. The Huawei E585 pocket wifi 2 device Admin Authority Authentication bypass (HWNSIRT-2012-1029) CVE-2012-5968:
    Huawei E585 pocket wifi 2 device fails to check the login status of admin sessions, which leads to an attacker being able to bypass the admin authority authentication allowing them access to the protected files and configure the device. This can lead to the leak and tampering of the non-shared user data and the disclosure of the session ID, allowing the attacker to configure the devices by authentication with the session ID which can be obtained by the attacker. The vendor has stated this vulnerability can only be exploited on the LAN side, and it cannot be exploited to launch attacks on the WAN side.

    2. The Huawei E585 pocket wifi 2 device directory traversal (HWNSIRT-2012-1030) CVE-2012-5969:
    Huawei E585 pocket wifi 2 device fails to restrict the access path of the files. Attackers can modify the path of the files manually giving them access to the system files to further access the protected files or write arbitrary files into the system. Before the system interface is invoked, the web server module of Huawei E585 pocket wifi 2 device fails to strictly check the validity of the file names and the paths of the files which are contained in the request packets on the LAN side. The vendor has stated this vulnerability can only be exploited on the LAN side, and it cannot be exploited to launch attacks on the WAN side.

    Examples requests:
    curl -X GET  http://192.168.1.1/sdcard/..%2f..%2f"$1"
    curl -X POST -d "action=request_page&page=sms.asp&req_page=../../../$1"
    http://192.168.1.1/en/sms.cgi

    3. The Huawei E585 pocket wifi 2 device null pointer denial-of-service (HWNSIRT-2012-1031) CVE-2012-5970:
    Huawei E585 pocket wifi 2 device crashes when analyzing specific packets (such as the packets which are sent by vulnerability scanning software), the HTTP request segment in the packets can cause a character string pointer in the code (the return value of the character matching function and the character string pointer used in the login authentication function) to be set to Null, which the underling code fails to check whether the value of this pointer is null or not, causing a segment fault, which can cause the devices to become unable to respond and fail to function normally.

Impact

An attacker with access to the Huawei E585 pocket wifi 2 device web interface can conduct multiple attacks, which could be used to result in information leakage, privilege escalation, and/or denial of service.

Solution

Update

The vendor has released updated versions of the device software. For update information see Huawei-SA-20121124-1-E585 and Huawei-SA-20121203-1-E585.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS, CSRF, or SQLi attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing the Huawei E585 pocket wifi 2 web interface using stolen credentials from a blocked network location.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Huawei TechnologiesAffected24 Oct 201211 Dec 2012
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base7.3AV:N/AC:H/Au:N/C:C/I:C/A:P
Temporal5.6E:POC/RL:W/RC:UC
Environmental1.5CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

  • http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-198239.htm
  • http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-198240.htm

Credit

Thanks to John Bird for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

  • CVE IDs:CVE-2012-5968CVE-2012-5969CVE-2012-5970
  • Date Public:24 Nov 2012
  • Date First Published:13 Dec 2012
  • Date Last Updated:13 Dec 2012
  • Document Revision:9

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/871148

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25)
50 % CWE-20 Improper Input Validation

CPE : Common Platform Enumeration

TypeDescriptionCount
Hardware 1
Hardware 1

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
Date Informations
2013-01-11 21:24:38
  • Multiple Updates
2013-01-11 21:22:34
  • Multiple Updates
2012-12-20 21:19:46
  • Multiple Updates
2012-12-19 13:27:30
  • Multiple Updates
2012-12-13 17:22:12
  • First insertion