This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy

Security Notice-Response to the Presentation of “Hacking Huawei VRP” in HITB SecConf

  • Initial Release Date: Dec 21, 2012
  • Last Release Date: Dec 21, 2012

On October 11th, 2012, Felix ‘FX’ Lindner presented a report about “Hacking Huawei VRP” in the HITB SecConf 2012 in Malaysia. Once getting the material, Huawei PSIRT immediately conducted deep analysis and evaluation on the report.

 

This report updates some information based on the report of Felix ‘FX’ Linder in the US DefCon 2012 by adding the explanation that the Bootloader(BIOS) Password of routers can be reset by a ‘hard-coded password’. According to the analysis undertaken by Huawei PSIRT, it can be concluded that this issue does not cause any substantial security risk.

 

To avoid the improper use of BIOS function, BIOS password is added to enhance the protection. The password can be changed by customers themselves. And in the case of the situation where the customer forgets the BIOS password, the product is configured with the function of resetting the BIOS password. Huawei designed the BIOS to enable customers to reset the BIOS password through the local physical serial port during device startup. The design cannot bypass the customer’s authorization and will not bring any substantial security risk to customers. The Huawei sequent products have canceled the function of resetting the BIOS password in order to avoid external misunderstood.

 

For other issues in the report of Felix ‘FX’ Lindner, Huawei has released the official response. Please refer to the following links:

Security Notice-Statement on Recurity Lab Revealing Security Vulnerabilities in Huawei AR Series Routers    

Security Advisory-HTTP Session Management Vulnerability in HTTP Module

Security Advisory-Buffer Overflow on Stack in HTTP Module

Security Advisory-Buffer Overflow on Heap When Parsing Http Response in HTTP Module

2012-12-21 V1.0 INITIAL


Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism. Please report to Huawei PSIRT at psirt@huawei.com if you find any security vulnerability of Huawei products.