Security Advisory – Multiple “BlueBorne” vulnerabilities on Huawei Products
- SA No:huawei-sa-20171018-01-blueborne
- Initial Release Date: 2017-10-18
- Last Release Date: 2017-12-20
There are multiple vulnerabilities of the BlueTooth Network in some Huawei products. These vulnerabilities are as follows:
1.Remote Code Execution Vulnerability
This vulnerability resides in the Bluetooth Network Encapsulation Protocol (BNEP) service, which enables internet sharing over a Bluetooth connection (tethering). Due to a flaw in the BNEP service, successful exploit of this vulnerability could allow an attacker to remotely execute arbitrary code on affected devices. (Vulnerability ID: HWPSIRT-2017-09131)
This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-0781.
2. Remote Code Execution vulnerability
This vulnerability is similar to the previous one, but resides in a higher level of the BNEP service – the Personal Area Networking (PAN) profile – which is responsible for establishing an IP based network connection between two devices. Similar to the previous vulnerability, successful exploit of this vulnerability could allow an attacker to remotely execute arbitrary code on affected devices. (Vulnerability ID: HWPSIRT-2017-09132)
This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-0782.
3. The Bluetooth Pineapple – Man in The Middle attack
This vulnerability resides in the PAN profile of the Bluetooth stack, and enables the attacker to create a malicious network interface on the victim’s device, re-configure IP routing and force the device to transmit all communication through the malicious network interface. This vulnerability could allow an attacker to launch man-in-the-middle (MITM) attacks. (Vulnerability ID: HWPSIRT-2017-09133)
This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-0783.
4. Information Leak Vulnerability
The vulnerability was found in the SDP (Service Discovery Protocol) server, which enables the device to identify other Bluetooth services around it. The flaw allows the attacker to send a set of crafted requests to the server, causing it to disclose memory bits in response. These pieces of information can later be used by the attacker to overcome advanced security measures and take control over the device. (Vulnerability ID: HWPSIRT-2017-09134)
This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-0785.
Huawei has released software updates to fix these vulnerabilities. This advisory is available at the following link:
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171018-01-blueborne-en
|
Product Name |
Affected Version |
Resolved Product and Version |
|
CAM-AL00 |
CAM-AL00C00B220 |
CAM-AL00C00B230 |
|
CAM-TL00 |
CAM-TL00C01B220 |
CAM-TL00C01B230 |
|
CAM-TL00H |
CAM-TL00HC00B220 |
CAM-TL00HC00B230 |
|
CAM-UL00 |
CAM-UL00C00B220 |
CAM-UL00C00B230 |
|
CAM-UL00C17B220 |
CAM-UL00C17B230 |
|
|
Cannes-EMUI5.0 |
Cannes-AL10C00B375 |
Cannes-AL10C00B379 |
|
Cannes-AL10C745B372 |
Cannes-AL10C745B379 |
|
|
Cannes-TL20C01B376 |
Cannes-TL20C01B379 |
|
|
Chopin-W09A |
CPN-W09C233B060 |
CPN-W09C233B065 |
|
EP820-D04A_TD |
V100R003C00 |
Upgrade to V100R004C10B280 |
|
Jimmy-AL00A |
Jimmy-AL00AC00B105 |
Jimmy-AL00AC00B132 |
|
Jordan-AL00 |
JDN-AL00C233B018 |
JDN-AL00C233B019CUSTC233D002 |
|
Jordan-W09B |
JDN-W09C233B010 |
JDN-W09C233B011 |
|
Kobe-W09CHN |
KOB-W09C233B012 |
KOB-W09C233B223 |
|
LON-AL00B |
LON-AL00BC00B139D |
LON-AL00BC00B231 |
|
LON-AL00BC00B229 |
||
|
LON-L29D |
LON-L29DC721B186 |
LON-L29DC721B189 |
|
Milan-EMUI5.0 |
MLA-AL00C00B356 |
MLA-AL00C00B358 |
|
MLA-AL10C00B356 |
MLA-AL10C00B358 |
|
|
MLA-TL00C01B356 |
MLA-TL00C01B358 |
|
|
MLA-TL10C01B356 |
MLA-TL10C01B358 |
|
|
MLA-TL10C752B356 |
MLA-TL10C752B358 |
|
|
MLA-UL00C17B356 |
MLA-UL00C17B358 |
|
|
NTS-AL00 |
Earlier than NTS-AL00C00B541 versions |
Upgrade to NTS-AL00C00B541 |
|
Prague-AL00A |
Prague-AL00AC00B190 |
Prague-AL00AC00B205 |
|
Prague-AL00B |
Prague-AL00BC00B190 |
Prague-AL00BC00B205 |
|
Prague-AL00C |
Prague-AL00CC00B190 |
Prague-AL00CC00B205 |
|
Prague-TL00A |
Prague-TL00AC01B190 |
Prague-TL00AC01B205 |
|
Prague-TL10A |
Prague-TL10AC01B190 |
Prague-TL10AC01B205 |
|
Toronto-AL00 |
Toronto-AL00C00B201 |
Toronto-AL00C00B210 |
|
Toronto-AL00A |
Toronto-AL00AC00B201 |
Toronto-AL00AC00B210 |
|
Toronto-TL10 |
Toronto-TL10C01B201 |
Toronto-TL10C01B210 |
|
Vicky-AL00A |
Vicky-AL00AC00B124D |
Vicky-AL00AC00B213 |
|
Vicky-AL00AC00B157D |
||
|
Vicky-AL00AC00B172 |
||
|
Vicky-AL00C |
Vicky-AL00CC768B123 |
Vicky-AL00CC768B173 |
|
Vicky-L29A |
Vicky-L29AC10B151 |
Vicky-L29AC10B153 |
|
Vicky-L29AC605B162 |
Vicky-L29AC605B163 |
|
|
Vicky-L29AC636B162 |
Vicky-L29AC636B170 |
|
|
Vicky-L29B |
Vicky-L29BC185B165 |
Vicky-L29BC185B170 |
|
Vicky-L29BC432B162 |
Vicky-L29BC432B170a |
|
|
Vicky-L29BC576B150 |
Vicky-L29BC576B170 |
|
|
Vicky-TL00A |
Vicky-TL00AC01B172 |
Vicky-TL00AC01B213 |
|
Victoria-L29A |
Victoria-L29AC10B151 |
Victoria-L29AC10B161 |
|
Victoria-L29AC636B113 |
Victoria-L29BC636B166 |
HWPSIRT-2017-09131:
Successful exploit of this vulnerability could allow an attacker to remotely execute arbitrary code on affected devices.
HWPSIRT-2017-09132:
Successful exploit of this vulnerability could allow an attacker to remotely execute arbitrary code on affected devices.
HWPSIRT-2017-09133:
Successful exploit of this vulnerability could allow an attacker to launch MITM attacks.
HWPSIRT-2017-09134:
Successful exploit of this vulnerability could allow an attacker to get users' information, leading to information leaks.
The vulnerability classification has been performed by using the CVSSv3 scoring system (http://www.first.org/cvss/specification-document).
HWPSIRT-2017-09131:
Base Score: 8.8(AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Temporal Score: 8.2 (E:F/RL:O/RC:C)
HWPSIRT-2017-09132:
Base Score: 7.5 (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Temporal Score: 7.0 (E:F/RL:O/RC:C)
HWPSIRT-2017-09133:
Base Score: 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
Temporal Score: 5.5 (E:F/RL:O/RC:C)
HWPSIRT-2017-09134:
Base Score: 6.5 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Temporal Score: 6.0 (E:F/RL:O/RC:C)
This vulnerability can be exploited only when the following conditions are present:
Open the Bluetooth of the affected device.
Vulnerability details:
For more details, please refer to:
The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.
These vulnerabilities were discovered by Armis Labs.
2017-12-20 V1.1 UPDATE Update the "Software Versions and Fixes" element.
2017-10-18 V1.0 INITIAL
None
Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.
To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.
To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.