This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy

Security Advisory - Buffer Overflow in Huawei UTPS Back-End

  • SA No:Huawei-SA-20120922-01-UTPS
  • Initial Release Date: Sep 22, 2012
  • Last Release Date: Feb 22, 2013

The back-end software UTPS is the application software which is operated on the management data card of PC to realize the configuration and dial-up connection of data card, instant messages receiving and sending, telephone directory management and the like. The current product has a vulnerability:

The UTPS1.0 back-end does not fully verify the incoming parameters when copying the character strings during the process of uploading the plug-in configuration files, which leads to the overflow(HWNSIRT-2012-0994). As a result, the script which is specified by some malicious users may be executed to run the application program which is specified by the malicious users.

This vulnerability was first reported by Souhail Hammou (Dark-Puzzle). Huawei would like to thank for Souhail Hammou’s findings and continuously concerns on Huawei products..

Currently, workarounds are available and are listed below. Huawei has also made the version plan to resolve this vulnerability.

The below affected products can deploy the workarounds mentioned above to mitigate the risks, or be upgraded to the below versions:                              

Product Model

Back-End Version

Solved Version

Solved Time

E173u-1

UTPS11.302.09.06.162

UTPS21.005.22.00.162_MAC21
.005.22.01.162

2012-9-26

E153u-1

UTPS11.302.09.05.162

UTPS21.005.15.06.162_MAC21
.005.15.01.162

2012-9-26

The other affected products can deploy the workarounds mentioned above to mitigate the risks, and there is no new version or patch to be released.

The security vulnerability may be utilized by malicious users to run the specified programs.

The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/).

Base Score: 6.9 (AV: L/AC: M/Au:N/C:C/I:C/A:C) 

Temporal Score: 6.2 (E: F/RL: W/RC: C)

The back-end does not fully verify the incoming parameters when copying the character strings during the process of uploading the plug-in configuration files, and the character strings have not been checked before copying. If there is a long character string saved in the configuration files, the copying execution will lead to the overflow of the invoked buffer:

1. Prerequisite:

Obtain the local user privilege;

2. Attacking procedure:

Modify the configuration file, and save a long character string in the specified attribute. Execute the program which will lead to the overflow of the invoked buffer;

3. Impact:

The security vulnerability may be utilized by malicious users to run the specified programs.

Users of Windows can upgrade the operation system to Windows XP sp3 directly or can download UTPS2.0 from our web site to cope with the security vulnerability.

1. Users of Windows XP sp1 can log in to the Web site of Microsoft to install the patch Windows XP sp3.

2. Users of the operation systems of higher versions will not be affected.

http://www.huaweidevice.com/

This vulnerability is reported by Souhail Hammou (http://packetstormsecurity.org/files/download/116604/huawei-overflow.txt). The Huawei PSIRT is not aware of any malicious use launched to attack through the vulnerability described in this advisory.

For security problems about Huawei products and solutions, please contactPSIRT@huawei.com.

For general problems about Huawei products and solutions, please directly contact Huawei TAC (Huawei Technical Assistance Center) to request the configuration or technical assistance.


22nd Sep, 2012 V1.0 INITIAL

22nd Feb, 2013 V2.0 UPDATED updates the vulnerability researcher name.
This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.


Complete information for providing feedback on security vulnerability of Huawei products, getting support for Huawei security incident response services, and obtaining Huawei security vulnerability information, is available on Huawei's worldwide website at http://www.huawei.com/en/security/psirt/.