Prompt

You have not logged in or are not authorized!

Remember my choice for next time?

News Start

Security Notice-Response to the Presentation of “Hacking Huwei VRP” in HITB SecConf

On October 11th, 2012, Felix ‘FX’ Lindner presented a report about “Hacking Huawei VRP” in the HITB SecConf 2012 in Malaysia. Once getting the material, Huawei PSIRT immediately conducted deep analysis and evaluation on the report.

This report updates some information based on the report of Felix ‘FX’ Linder in the US DefCon 2012 by adding the explanation that the Bootloader(BIOS) Password of routers can be reset by a ‘hard-coded password’. According to the analysis undertaken by Huawei PSIRT, it can be concluded that this issue does not cause any substantial security risk.

To avoid the improper use of BIOS function, BIOS password is added to enhance the protection. The password can be changed by customers themselves. And in the case of the situation where the customer forgets the BIOS password, the product is configured with the function of resetting the BIOS password. Huawei designed the BIOS to enable customers to reset the BIOS password through the local physical serial port during device startup. The design cannot bypass the customer’s authorization and will not bring any substantial security risk to customers. The Huawei sequent products have canceled the function of resetting the BIOS password in order to avoid external misunderstood.

For other issues in the report of Felix ‘FX’ Lindner, Huawei has released the official response. Please refer to the following links:

Security Notice-Statement on Recurity Lab Revealing Security Vulnerabilities in Huawei AR Series Routers

Security Advisory-HTTP Session Management Vulnerability in HTTP Module

Security Advisory-Buffer Overflow on Stack in HTTP Module

Security Advisory-Buffer Overflow on Heap When Parsing Http Response in HTTP Module

News End