Security Advisory-Segment Fault When Parsing Http Request in Web server of E585
- SA No:Huawei-SA-20121203-1-E585
- Initial Release Date: 2012-12-03
- Last Release Date: 2012-12-03
HUAWEI E585 Wireless Modem is the terminal which can realize the high-speed wireless network access. The access is realized by the connection between USB interfaces and PCs or by the connection between WiFi and many wireless devices. In the network coverage area of HSPA/UMTS or EDGE/GPRS/GSM, users can enjoy the applications of wireless network access, short message communication, and sending and receiving emails. The current product has the following vulnerabilities:
For some specific attacking packets (such as the packets sent by vulnerability scanning tools), as the check of the pointer value returned by string matching function is not enough when E585 is analyzing the HTTP request segments, pointer access errors occur and lead to the segment fault which can cause the device become unable to respond (Vulnerability ID: HWNSIRT-2012-1031).
We have made the version updating plan.
Affected Products:
E585u-82
Affected versions:
V100R001B106D00SP96C240
V100R001B106D00SP01C426
V100R001B106D00SP01C17
E585
Affected versions:
V100R001C84B503SP02
V100R001C64B503
V100R001C402B102SP01
V100R001C361B102
V100R001C326B102SP02
V100R001C308B102SP01
V100R001C09B102SP02
V100R001C323B505SP03
The vulnerability classification has been performed by using the CVSSv2 scoring system
(http://www.first.org/cvss/).
CVSS v2 Base Score: 6.1(AV:A/AC:L/Au:N/C:N/I:N/A:C)
CVSS v2 Temporal Score: 4.8 (E:P/RL:O/RC:C)
Prerequisite of exploiting vulnerabilities to launch attacks:
The specific attacking tool (such as the command line tool or vulnerability scanning tool) needs to be connected to the devices through WiFi on the LAN side or through USB interfaces and the attacking packets are sent through this specific tool.
Detailed Vulnerability Description:
When E585 is analyzing some specific attacking packets (such as the packets which are sent by attackers when vulnerability scanning software scans the E585), the HTTP request segment in the packets can cause some character string pointer in the code (the return value of the character matching function and the character string pointer used in the login authentication function) be set to Null, and the code does not check whether the value of this point is null or not. Therefore, the access of programs to the null pointer leads to the segment fault, which can cause the devices become unable to respond and fail to function normally.
This vulnerability cannot be exploited to launch attacks on the WAN side.
Solutions:
When E585 is analyzing the HTTP request segments, make it check the return value of the character string matching function (the pointer) to prevent the pointer access errors.
Version upgrade information and upgrade date:
|
Product |
Affected Version |
Solved Version |
Solved Time |
|
E585u-82 |
V100R001B106D00SP96C240 |
V100R001B106D00SP97C240 |
2012-11-30 |
|
V100R001B106D00SP01C426 |
V100R001B106D00SP02C426 |
2012-11-30 |
|
|
V100R001B106D00SP01C17 |
V100R001B106D00SP02C17 |
2012-11-30 |
|
|
E585 |
V100R001C84B503SP02 |
V100R001C84B503SP03 |
2012-11-30 |
|
V100R001C64B503 |
V100R001C64B503SP01 |
2012-11-30 |
|
|
V100R001C402B102SP01 |
V100R001C402B102SP02 |
2012-11-30 |
|
|
V100R001C361B102 |
V100R001C361B102SP01 |
2012-11-30 |
|
|
V100R001C326B102SP02 |
V100R001C326B102SP03 |
2012-11-30 |
|
|
V100R001C308B102SP01 |
V100R001C308B102SP02 |
2012-11-30 |
|
|
V100R001C09B102SP02 |
V100R001C09B102SP03 |
2012-11-30 |
|
|
V100R001C323B505SP03 |
V100R001C323B505SP04 |
2012-11-30 |
This vulnerability information is obtained from CERT Coordination Center. We thank CERT Coordination Center and the vulnerability discoverer here for their attention to the vulnerabilities of Huawei products.
Huawei PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
For security problems about Huawei products and solutions, please contactPSIRT@huawei.com.
For general problems about Huawei products and solutions, please directly contact Huawei TAC (Huawei Technical Assistance Center) to request the configuration or technical assistance.
2012-12-3 V1.0 INITIAL
Question 1: Can someone else exploit this vulnerability remotely through networks?
Answer: This vulnerability can only be exploited through the local area network. The remote users cannot access the Web Server of board, so they cannot exploit this vulnerability remotely through networks.
Question 2: How can I identify the software version of the E585 I am using?
Answer: Locally access the address of the board gateway (the default address is 192.168.1.1) to log in to the Web UI. And check the software version under the menu of Advanced settings->System->Version.
