This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our private policy>

Security Advisory-HTTP Session Management Vulnerability in HTTP Module

  • SA No:Huawei-SA-20120808-01-HTTP-Module
  • Initial Release Date: 2012-08-04
  • Last Release Date: 2012-08-14

Branch Intelligent Management System (BIMS) and Web management is provided by Huawei for network and device management.

Both BIMS and Web management use HTTP. Therefore, to use BIMS and Web management, you must enable HTTP. Because HTTP session ID generation is weak and predictable, an attacker can hijack HTTP session(Vulnerability ID: HWNSIRT-2012-0803)

This vulnerability was first reported by Felix Lindner of Recurity Labs GmbH.

Currently, workarounds are available and are detailed below.

1. Affected Products:

  • AR router:The AR18/28/46 and AR19/29/49 are multi-service routers for small and medium-sized enterprises. The AR18/28/46 supports Branch Intelligent Management System (BIMS), which is provided by Huawei for network and device management.The AR18-2X, AR18-3X, and AR18-3XE also support Web management.The AR19/29/49 supports Web management only.

Affected versions:

AR 19/29/49 R2207 earlier versions

AR 28/46 R0311 and earlier versions

AR 18-3x R0118 and earlier versions

AR 18-2x R1712 and earlier versions

AR18-1x R0130 and earlier versions

  • Huawei Switches:S2000 series, S3000 series, S3500 series, S3900 series, S5100 series and S5600 series switches support WEB management, and enable HTTP service. S7800 series switches with R6305 version or later version support WEB management, and enable HTTP service.

Affected versions:

S2000 series, S3000 series, S3500 series, S3900 series, S5100 series and S5600 series switches

S7800 series switches with R6305 version or later version

2. Not affected products:

  • AR router:AR router is multi-service routers for small and medium-sized enterprises.

Not Affected versions:

AR G3 (AR 200/1200/2200/3200)

AR19/29/49 R2207 and later versions

  • Huawei Switches:The Huawei Series switches feature a multi-service routing and switching platform to meet requirements for service bearing at the access, aggregation, and core layers of an network.

Not Affected versions:

S6500 &8500 series switches

S7800 series switches with R6105 version

S2300&3300&5300&6300&9300 series switches

S2700&3700&5700&6700&7700&9700 series switches


Device only processes HTTP messages sent from a user with a legal HTTP session ID.  Attackers can send HTTP messages after hijacking sessions and affect operation of the device, or to launch further attacks.



The vulnerability classification has been performed by using the CVSSv2 scoring system

(http://www.first.org/cvss/).

HTTP Session ID is too short:

Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Temporal Score: 6.7 (E:H/RL:T/RC:C)


All the following conditions must be satisfied:

1. Attackers have obtained the IP address of the management interface.

2. A user is online to configure the device through Web service.

3. The IP address of the management interface is reachable.



HTTP session ID is too short, which leads to the small range of randomness, and attackers can iterate all possible session IDs, and find one or more available session IDs.




Scenario 1: When neither Web management nor Branch Intelligent Management System (BIMS) is used for remote configuration.

Workarounds: Connect to the device using SSH and shut down the HTTP port and disable BIMS service. The detailed configuration is as follows:

AR 18/28/46:

[Quidway] ip http shutdown

       [Quidway] undo bims enable

AR 19/29/49:

[Quidway] undo ip http enable

S2000 series, S3000 series, S3500 series, S3900 series, S5100 series and S5600 series switches:

[Quidway] ip http shutdown  (If this command is not supported by one specified  switch with one specified version, it indicates the security vulnerability described here does not exist in this switch with this version, and no workaround is necessary to be implemented)

S7800 series switches:

[Quidway] undo ip http enable

 

Scenario 2: Web management or BIMS is used for remote device configuration.

Workarounds: Connect to the device using SSH and set ACL rules to restrict source IP addresses for HTTP establishment. The detailed configuration is as follows:

AR 18/28/46:

[Quidway] acl number 2001

[Quidway-acl-basic-2001] rule 0 permit source 1.1.1.1 0

[Quidway-acl-basic-2001]rule 5 deny

[Quidway]ip http acl 2001

AR 19/29/49:

[Quidway] acl number 2001

[Quidway-acl-basic-2001] rule 0 permit source 1.1.1.1 0

[Quidway-acl-basic-2001]rule 5 deny

[Quidway]ip http acl 2001

S2000 series, S3000 series, S3500 series, S3900 series, S5100 series and S5600 series switches:

[Quidway] acl number 2001

[Quidway-acl-basic-2001] rule 0 permit source 1.1.1.1 0

[Quidway-acl-basic-2001]rule 5 deny

[Quidway]ip http acl 2001  (If this command is not supported by one specified  switch with one specified version, it indicates the security vulnerability described here does not exist in this switch with this version, and no workaround is necessary to be implemented)

S7800 series switches

[Quidway] acl number 2001

[Quidway-acl-basic-2001] rule 0 permit source 1.1.1.1 0

[Quidway-acl-basic-2001]rule 5 deny

[Quidway]ip http acl 2001


AR 18/28/46:

Deploy workarounds mentioned above to mitigate the risks, and there is no new version or patch to be released.

AR 19/29/49:

Deploy workarounds mentioned above to mitigate the risks, or upgrade to AR 19/29/49 R2207 or later versions.

 

S2000 series, S3000 series, S3500 series, S3900 series, S5100 series, S5600 series and S7800 series switches:

Deploy workarounds mentioned above to mitigate the risks, and there is no new version or patch to be released.



Customers should contact Huawei TAC (Huawei Technical Assistance Center) to request the upgrades. For TAC contact information, please refer to Huawei worldwide website at http://www.huawei.com/en/security/psirt/report-vulnerabilities/index.htm.

This vulnerability is reported by Recurity Labs GmbH. The Huawei PSIRT is not aware of any public or malicious use launch to attack through the vulnerability described in this advisory.

For security problems about Huawei products and solutions, please contactPSIRT@huawei.com.

For general problems about Huawei products and solutions, please directly contact Huawei TAC (Huawei Technical Assistance Center) to request the configuration or technical assistance.


2012-8-4 V1.0 INITIAL

2012-8-8 V1.1 UPDATE update affected versions

2012-8-9 V1.2 UPDATE update affected product: Huawei switches and replace the Huawei-SA-20120804-01-AR;

2012-8-14 V1.3 UPDATE update workaround description ;

none.


This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.


Complete information for providing feedback on security vulnerability of Huawei products, getting support for Huawei security incident response services, and obtaining Huawei security vulnerability information, is available on Huawei's worldwide website at http://www.huawei.com/en/security/psirt/.