Prompt

You have not logged in or are not authorized!

Remember my choice for next time?

News Start

Security Advisory-Buffer Overflow on Stack in HTTP Module
SA No: Huawei-SA-20120808-02-HTTP-Module Release Date: 2012-8-4

summary

Branch Intelligent Management System (BIMS) and Web management is provided by Huawei for network and device management.

Both BIMS and Web management use HTTP. Therefore, to use BIMS and Web management, you must enable HTTP. Attackers can make stack overflow by sending messages with the URI whose length is more than the declared length. Attackers can remotely execute arbitrary commands (Vulnerability ID: HWNSIRT-2012-0804).

This vulnerability was first reported by Felix Lindner of Recurity Labs GmbH.

Currently, workarounds are available and are detailed below.

Affected Products

1. Affected Products:

AR router:The AR18/28/46 and AR19/29/49 are multi-service routers for small and medium-sized enterprises. The AR18/28/46 supports Branch Intelligent Management System (BIMS), which is provided by Huawei for network and device management. The AR18-2X, AR18-3X, and AR18-3XE also support Web management. The AR19/29/49 supports Web management only.

Affected versions:

  • AR 19/29/49 R2207 earlier versions
  • AR 28/46 R0311 and earlier versions
  • AR 18-3x R0118 and earlier versions
  • AR 18-2x R1712 and earlier versions
  • AR18-1x R0130 and earlier versions

Ø Huawei Swithes:S2000 series, S3000 series, S3500 series, S3900 series, S5100 series and S5600 series switches support WEB management, and enable HTTP service. S7800 series switches with R6305 version or later version support WEB management, and enable HTTP service. The S8500 series switches don’t support Web management, but HTTP server is enabled by default in the earlier versions.

Affected versions:

  • S2000 series, S3000 series, S3500 series, S3900 series, S5100 series and S5600 series switches
  • S7800 series switches with R6305 version or later version
  • S8500 series switches with the version R1631
  • S8500 series switches with the version R1632

2. Not affected products:

Ø AR router:AR router is multi-service routers for small and medium-sized enterprises.

Not Affected versions:

  • AR G3 (AR 200/1200/2200/3200)
  • AR19/29/49 R2207 and later versions

Ø Huawei Swithes:The Huawei Series switches feature a multi-service routing and switching platform to meet requirements for service bearing at the access, aggregation, and core layers of an network.

Not Affected versions:

  • S6500 series switches
  • S7800 series switches with R6105 version
  • S8500 series swithes with version earlier R1631
  • S8500 series swithes with version later R1632
  • S2300&3300&5300&6300&9300 series switches
  • S2700&3700&5700&6700&7700&9700 series switches

Impact

By exploiting the vulnerability, attackers can execute injected arbitrary codes, such as elevating privileges, creating root account and so on.

Vulnerability Scoring Details

The vulnerability classification has been performed by using the CVSSv2 scoring system

(http://www.first.org/cvss/).

Too-long URI would result in stack overflow:

Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Temporal Score: 8.4 (E:H/RL:T/RC:C)

Technique Details

All the following conditions must be satisfied:

1. The HTTP management interface is in the "Up" state. (By default, this interface is enabled).

2. The IP address of the management interface is reachable.

3. Attackers have rights to use the HTTP management interface, or be able to hijack the HTTP session by exploiting the SESSION-ID-Too-Short vulnerability (more details in Huawei-SA-20120804-01-HTTP-Module).

Vulnerabilities details:

Once URI length of HTTP messages are greater than specific max length, when it is copied into buffer, a stack overflow will occur, Attackers can insert their shellcode into URI, and remotely execute it on device. Through the vulnerability, attacker can control whole device.

Temporary Fix

Scenario 1: When vulnerable devices are used, neither Web management nor Branch Intelligent Management System (BIMS) is used for remote configuration.

Workarounds: Connect using SSH and shut down the HTTP port and disable BIMS service. The detailed configuration is as follows:

AR 18/28/46:

[Quidway] ip http shutdown

[Quidway] undo bims enable

AR 19/29/49:

[Quidway] undo ip http enable

S2000 series, S3000 series, S3500 series, S3900 series, S5100 series and S5600 series switches:

[Quidway] ip http shutdown (If this command is not supported by one specified switch with one specified version, it indicates the security vulnerability described here does not exist in this switch with this version, and no workaround is necessary to be implemented)

S7800 series switches:

[Quidway] undo ip http enable

Scenario 2: Web management or BIMS is used for remote vulnerable device configuration.

Workarounds: Connect using SSH and set ACL rules to restrict source IP addresses for HTTP establishment. The detailed configuration is as follows:

AR 18/28/46:

[Quidway] acl number 2001

[Quidway-acl-basic-2001] rule 0 permit source 1.1.1.1 0

[Quidway-acl-basic-2001]rule 5 deny

[Quidway]ip http acl 2001

AR 19/29/49:

[Quidway] acl number 2001

[Quidway-acl-basic-2001] rule 0 permit source 1.1.1.1 0

[Quidway-acl-basic-2001]rule 5 deny

[Quidway]ip http acl 2001

S2000 series, S3000 series, S3500 series, S3900 series, S5100 series and S5600 series switches:

[Quidway] acl number 2001

[Quidway-acl-basic-2001] rule 0 permit source 1.1.1.1 0

[Quidway-acl-basic-2001]rule 5 deny

[Quidway]ip http acl 2001 (If this command is not supported by one specified switch with one specified version, it indicates the security vulnerability described here does not exist in this switch with this version, and no workaround is necessary to be implemented)

S7800 series switches

[Quidway] acl number 2001

[Quidway-acl-basic-2001] rule 0 permit source 1.1.1.1 0

[Quidway-acl-basic-2001]rule 5 deny

[Quidway]ip http acl 2001

Scenario 3:Web management is not supported, but HTTP service port is open.

Workarounds: Shut down the HTTP port. The detailed configuration is as follows:

S8500 series switches:

[Quidway] ip http shutdown

Software Versions and Fixes

AR 18/28/46:

Deploy workarounds mentioned above to mitigate the risks, and there is no new version or patch to be released.

AR 19/29/49:

Deploy workarounds mentioned above to mitigate the risks, or upgrade to AR 19/29/49 R2207 or later versions.

S2000 series, S3000 series, S3500 series, S3900 series, S5100 series, S5600 series and S7800 series switches:

Deploy workarounds mentioned above to mitigate the risks, and there is no new version or patch to be released.

S8500 series switches:

Deploy workarounds mentioned above to mitigate the risks, or upgrade the S8500 to R1640 or later versions.

FAQs

Null

Obtaining Fixed Software

AR 19/29/49:

http://support.huawei.com/support/pages/editionctrl/catalog/ShowVersionDetail.do?actionFlag=clickNode&node=000001505159&colID=ROOTENWEB|CO0000000174

S8500 series switches:

http://support.huawei.com/support/pages/editionctrl/catalog/ShowVersionDetail.do?actionFlag=clickNode&node=000000300196&colID=ROOTWEB|CO0000000065

Contact Channel for Technique Issue

PSIRT@huawei.com

Revision History

2012-8-4 V1.0 INITIAL

2012-8-8 V1.1 UPDATE update affected versions of AR;

2012-8-9 V1.2 UPDATE update affected product: Huawei switches and replace the Huawei-SA-20120804-02-AR;

2012-8-14 V1.3 UPDATE update affected Swithes version and workaround description ;

Exploitation and Vulnerability Source

This vulnerability is reported by Recurity Labs GmbH. The Huawei PSIRT is not aware of any public or malicious use launch to attack through the vulnerability described in this advisory.

Declaration

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei Investment & Holding Co., Ltd. or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

The information and data embodied in this document and any attachment are strictly confidential information of Huawei and are supplied on the understanding that they will be held confidentially and not disclosed to third parties without the prior written consent of Huawei. You shall use all reasonable efforts to protect the confidentiality of information. In particular, you shall not directly or indirectly disclose, allow access to, transmit or transfer the information to a third party without our prior written consent. Thank for your co-operation.

Huawei Security Procedures

Contact us through PSIRT@huawei.com if you need to:

1. Provide feedback on security vulnerability of Huawei products.

2. Get support for Huawei security incident response services.

3. Obtain Huawei security vulnerability information.

News End