Huawei E585 pocket wifi 2 device contains multiple vulnerabilities

Overview

The Huawei E585 pocket wifi 2 device contains multiple vulnerabilities which could allow an attacker to perform administrative functions on the device.

Description

The Huawei E585 pocket wifi 2 device contains multiple vulnerabilities which could allow an attacker to perform administrative functions on the device.

1. The Huawei E585 pocket wifi 2 device Admin Authority Authentication bypass (HWNSIRT-2012-1029) CVE-2012-5968:
Huawei E585 pocket wifi 2 device fails to check the login status of admin sessions, which leads to an attacker being able to bypass the admin authority authentication allowing them access to the protected files and configure the device. This can lead to the leak and tampering of the non-shared user data and the disclosure of the session ID, allowing the attacker to configure the devices by authentication with the session ID which can be obtained by the attacker. The vendor has stated this vulnerability can only be exploited on the LAN side, and it cannot be exploited to launch attacks on the WAN side.

2. The Huawei E585 pocket wifi 2 device directory traversal (HWNSIRT-2012-1030) CVE-2012-5969:
Huawei E585 pocket wifi 2 device fails to restrict the access path of the files. Attackers can modify the path of the files manually giving them access to the system files to further access the protected files or write arbitrary files into the system. Before the system interface is invoked, the web server module of Huawei E585 pocket wifi 2 device fails to strictly check the validity of the file names and the paths of the files which are contained in the request packets on the LAN side. The vendor has stated this vulnerability can only be exploited on the LAN side, and it cannot be exploited to launch attacks on the WAN side.

Examples requests:
curl -X GET ``<http://192.168.1.1/sdcard/..%2f..%2f>``"$1" curl -X POST -d "action=request_page&page=sms.asp&req_page=../../../$1" ``<http://192.168.1.1/en/sms.cgi>

3. The Huawei E585 pocket wifi 2 device null pointer denial-of-service (HWNSIRT-2012-1031) CVE-2012-5970:
Huawei E585 pocket wifi 2 device crashes when analyzing specific packets (such as the packets which are sent by vulnerability scanning software), the HTTP request segment in the packets can cause a character string pointer in the code (the return value of the character matching function and the character string pointer used in the login authentication function) to be set to Null, which the underling code fails to check whether the value of this pointer is null or not, causing a segment fault, which can cause the devices to become unable to respond and fail to function normally.

---

Impact

An attacker with access to the Huawei E585 pocket wifi 2 device web interface can conduct multiple attacks, which could be used to result in information leakage, privilege escalation, and/or denial of service.

---

Solution

Update

The vendor has released updated versions of the device software. For update information see Huawei-SA-20121124-1-E585 and Huawei-SA-20121203-1-E585.

---

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS, CSRF, or SQLi attacks since the attack comes as an HTTP request from a legitimate user’s host. Restricting access would prevent an attacker from accessing the Huawei E585 pocket wifi 2 web interface using stolen credentials from a blocked network location.

---

Vendor Information

871148

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Huawei Technologies Affected

Notified: October 24, 2012 Updated: December 11, 2012

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-198239.htm&gt;
• <http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-198240.htm&gt;

CVSS Metrics

Group	Score	Vector
Base	7.3	AV:N/AC:H/Au:N/C:C/I:C/A:P
Temporal	5.6	E:POC/RL:W/RC:UC
Environmental	1.5	CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

• <http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-198239.htm&gt;
• <http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-198240.htm&gt;

Acknowledgements

Thanks to John Bird for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs:	CVE-2012-5968, CVE-2012-5969, CVE-2012-5970
Date Public:	2012-11-24 Date First Published: