Este site utiliza cookies. Ao continuar navegando no site, você concorda com esse uso. Leia nossa política de privacidade

Corporativo Brasil [alterar]
Corporativo
Sobre a Huawei, Imprensa e Eventos e mais
Pessoal
Celulares, Computadores e Tablets, utensílios e mais
Enterprise
Produtos, soluções e serviços para empresas
Carrier
Produtos, soluções e serviços para operadoras
Huawei Cloud
Produtos e soluções baseados nos serviços da Huawei Cloud

Select a Country or Region

Security Advisory-XSS Security Vulnerability on Huawei E355

  • SA No:Huawei-SA-20141011-01-E355
  • Initial Release Date: 2014-10-11
  • Last Release Date: 2014-10-11

Huawei E355 portable 3G wireless routers have the stored cross-site scripting (XSS) vulnerability. Attackers can exploit the vulnerability to plant malicious scripts into the configuration file to interrupt the services of legitimate users. (Vulnerability ID: HWPSIRT-2014-0516)

The CVE No. of the vulnerability is CVE-2014-2968.

Product Name

Affected Version

Resolved Product and Version

E355

Software version: 21.157.37.01.910
Web UI version: 11.001.08.00.03

Software version: 22.158.45.02.910
Web UI version: 13.100.04.02.910

Attackers can exploit the vulnerability to interrupt the services of legitimate users to a limited extent.

The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/).

Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)

Temporal Score: 4.2 (E:F/RL:O/RC:C)


1. Prerequisite:

1)    Attackers can access the LAN ports of the target device.

2)    Legitimate users must be online during the attack.

2. Attacking procedure:

Huawei E355 portable 3G wireless routers has the stored cross-site scripting (XSS) vulnerability. Attackers can send specially grafted HTTP post packets to plant malicious scripts into the configuration file to interrupt the services of legitimate users.

When the vulnerability is exploited, the impact is some unwanted pop-ups when legitimate users access the web page of the device. The malicious scripts have limited permissions and cannot modify device configuration or leak user information.

None


Customers should contact Huawei TAC (Huawei Technical Assistance Center) to request the upgrades. For TAC contact information, please refer to Huawei worldwide website at http://www.huawei.com/en/security/psirt/report-vulnerabilities/index.htm.


The vulnerability is discovered by Jimson K James. Huawei PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.

Huawei thanks Jimson K James for the responsible vulnerability report.

For security problems about Huawei products and solutions, please contactPSIRT@huawei.com.

For general problems about Huawei products and solutions, please directly contact Huawei TAC (Huawei Technical Assistance Center) to request the configuration or technical assistance.


2014-10-11 V1.0 INITIAL

None


This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.


Complete information for providing feedback on security vulnerability of Huawei products, getting support for Huawei security incident response services, and obtaining Huawei security vulnerability information, is available on Huawei's worldwide website at http://www.huawei.com/en/security/psirt/.