Security Advisory - Information Leak Vulnerability in Certain Huawei Products

Some Huawei products have two information leak vulnerabilities caused by improper encryption mechanisms.

Users can use reversible or irreversible encryption algorithms to encrypt passwords. If a reversible encryption algorithm is used to encrypt administrators’ passwords, an attacker with high administrative privileges can log in to the device, obtain the ciphertext password of a higher-level administrator, and crack it to get elevated privileges. (Vulnerability ID: HWPSIRT-2015-06073)

This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2015-8085.

Encryption keys are stored in the system. The attacker can implement reverse engineering to obtain the encryption keys. (Vulnerability ID: HWPSIRT-2015-06080)

This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2015-8086.

After successful exploitation of the two vulnerabilities, the attacker can obtain plaintext passwords, leading to user information leaks.

Huawei has released software updates to fix these vulnerabilities. This advisory is available at the following link:

http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-455876.htm