This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy (update in May 2018) >

Security Advisory – Multiple “BlueBorne” vulnerabilities on Huawei Products

  • SA No:huawei-sa-20171018-01-blueborne
  • Initial Release Date: 2017-10-18
  • Last Release Date: 2017-12-20

There are multiple vulnerabilities of the BlueTooth Network in some Huawei products. These vulnerabilities are as follows:

1.Remote Code Execution Vulnerability

This vulnerability resides in the Bluetooth Network Encapsulation Protocol (BNEP) service, which enables internet sharing over a Bluetooth connection (tethering). Due to a flaw in the BNEP service, successful exploit of this vulnerability could allow an attacker to remotely execute arbitrary code on affected devices. (Vulnerability ID: HWPSIRT-2017-09131)

This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-0781.

2. Remote Code Execution vulnerability

This vulnerability is similar to the previous one, but resides in a higher level of the BNEP service – the Personal Area Networking (PAN) profile – which is responsible for establishing an IP based network connection between two devices. Similar to the previous vulnerability, successful exploit of this vulnerability could allow an attacker to remotely execute arbitrary code on affected devices. (Vulnerability ID: HWPSIRT-2017-09132)

This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-0782.

3. The Bluetooth Pineapple – Man in The Middle attack

This vulnerability resides in the PAN profile of the Bluetooth stack, and enables the attacker to create a malicious network interface on the victim’s device, re-configure IP routing and force the device to transmit all communication through the malicious network interface. This vulnerability could allow an attacker to launch man-in-the-middle (MITM) attacks. (Vulnerability ID: HWPSIRT-2017-09133)

This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-0783.

4. Information Leak Vulnerability

The vulnerability was found in the SDP (Service Discovery Protocol) server, which enables the device to identify other Bluetooth services around it. The flaw allows the attacker to send a set of crafted requests to the server, causing it to disclose memory bits in response. These pieces of information can later be used by the attacker to overcome advanced security measures and take control over the device. (Vulnerability ID: HWPSIRT-2017-09134)

This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-0785.

Huawei has released software updates to fix these vulnerabilities. This advisory is available at the following link:

http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171018-01-blueborne-en

Product Name

Affected Version

Resolved Product and Version

CAM-AL00

CAM-AL00C00B220

CAM-AL00C00B230

CAM-TL00

CAM-TL00C01B220

CAM-TL00C01B230

CAM-TL00H

CAM-TL00HC00B220

CAM-TL00HC00B230

CAM-UL00

CAM-UL00C00B220

CAM-UL00C00B230

CAM-UL00C17B220

CAM-UL00C17B230

Cannes-EMUI5.0

Cannes-AL10C00B375

Cannes-AL10C00B379

Cannes-AL10C745B372

Cannes-AL10C745B379

Cannes-TL20C01B376

Cannes-TL20C01B379

Chopin-W09A

CPN-W09C233B060

CPN-W09C233B065

EP820-D04A_TD

V100R003C00

Upgrade to V100R004C10B280

Jimmy-AL00A

Jimmy-AL00AC00B105

Jimmy-AL00AC00B132

Jordan-AL00

JDN-AL00C233B018

JDN-AL00C233B019CUSTC233D002

Jordan-W09B

JDN-W09C233B010

JDN-W09C233B011

Kobe-W09CHN

KOB-W09C233B012

KOB-W09C233B223

LON-AL00B

LON-AL00BC00B139D

LON-AL00BC00B231

LON-AL00BC00B229

LON-L29D

LON-L29DC721B186

LON-L29DC721B189

Milan-EMUI5.0

MLA-AL00C00B356

MLA-AL00C00B358

MLA-AL10C00B356

MLA-AL10C00B358

MLA-TL00C01B356

MLA-TL00C01B358

MLA-TL10C01B356

MLA-TL10C01B358

MLA-TL10C752B356

MLA-TL10C752B358

MLA-UL00C17B356

MLA-UL00C17B358

NTS-AL00

Earlier than NTS-AL00C00B541 versions

Upgrade to NTS-AL00C00B541

Prague-AL00A

Prague-AL00AC00B190

Prague-AL00AC00B205

Prague-AL00B

Prague-AL00BC00B190

Prague-AL00BC00B205

Prague-AL00C

Prague-AL00CC00B190

Prague-AL00CC00B205

Prague-TL00A

Prague-TL00AC01B190

Prague-TL00AC01B205

Prague-TL10A

Prague-TL10AC01B190

Prague-TL10AC01B205

Toronto-AL00

Toronto-AL00C00B201

Toronto-AL00C00B210

Toronto-AL00A

Toronto-AL00AC00B201

Toronto-AL00AC00B210

Toronto-TL10

Toronto-TL10C01B201

Toronto-TL10C01B210

Vicky-AL00A

Vicky-AL00AC00B124D

Vicky-AL00AC00B213

Vicky-AL00AC00B157D

Vicky-AL00AC00B172

Vicky-AL00C

Vicky-AL00CC768B123

Vicky-AL00CC768B173

Vicky-L29A

Vicky-L29AC10B151

Vicky-L29AC10B153

Vicky-L29AC605B162

Vicky-L29AC605B163

Vicky-L29AC636B162

Vicky-L29AC636B170

Vicky-L29B

Vicky-L29BC185B165

Vicky-L29BC185B170

Vicky-L29BC432B162

Vicky-L29BC432B170a

Vicky-L29BC576B150

Vicky-L29BC576B170

Vicky-TL00A

Vicky-TL00AC01B172

Vicky-TL00AC01B213

Victoria-L29A

Victoria-L29AC10B151

Victoria-L29AC10B161

Victoria-L29AC636B113

Victoria-L29BC636B166

HWPSIRT-2017-09131:

Successful exploit of this vulnerability could allow an attacker to remotely execute arbitrary code on affected devices.

HWPSIRT-2017-09132:

Successful exploit of this vulnerability could allow an attacker to remotely execute arbitrary code on affected devices.

HWPSIRT-2017-09133:

Successful exploit of this vulnerability could allow an attacker to launch MITM attacks.

HWPSIRT-2017-09134:

Successful exploit of this vulnerability could allow an attacker to get users' information, leading to information leaks.

The vulnerability classification has been performed by using the CVSSv3 scoring system (http://www.first.org/cvss/specification-document).

HWPSIRT-2017-09131:

Base Score: 8.8(AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Temporal Score: 8.2 (E:F/RL:O/RC:C)

HWPSIRT-2017-09132:

Base Score: 7.5 (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Temporal Score: 7.0 (E:F/RL:O/RC:C)

HWPSIRT-2017-09133:

Base Score: 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Temporal Score: 5.5 (E:F/RL:O/RC:C)

HWPSIRT-2017-09134:

Base Score: 6.5 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Temporal Score: 6.0 (E:F/RL:O/RC:C)

This vulnerability can be exploited only when the following conditions are present:

Open the Bluetooth of the affected device.

Vulnerability details:

For more details, please refer to:

https://www.armis.com/blueborne/

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.

These vulnerabilities were discovered by Armis Labs.

2017-12-20 V1.1 UPDATE Update the "Software Versions and Fixes" element.
2017-10-18 V1.0 INITIAL

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.