Security Notice-Statement on Recurity Lab Revealing Security Vulnerabilities in Huawei AR Series Routers

Huawei was notified about information released by Recurity Lab regarding security vulnerabilities in Huawei AR 18/28 Routers at the Defcon 2012 conference held late July 2012. Huawei immediately launched a thorough investigation and communicated with Recurity Labs.

After the investigation, it has been verified that AR18/28/46/19/29/49 series access routers and S20/30/35/39/51/56/78/85 series switches have security vulnerabilities that affect the HTTP management interface and could be exploited by attackers when there is no restriction on the remote access to the equipment said above. As those are OEM  products, we have contacted the OEM supplier so they can assess their range of products to ensure no similar vulnerabilities exist. Huawei has examined its self-designed and engineered products and found no similar vulnerabilities.

Huawei has delivered three Security Advisories and mitigation measures. Customers can get necessary support for product security vulnerabilities through Huawei local technical service.

Huawei has already established response mechanism to deal with product security issues. Please report to Huawei PSIRT at psirt@huawei.com if you find any security vulnerability of Huawei products.

Security Advisory-HTTP Session Management Vulnerability in HTTP Module

Security Advisory-Buffer Overflow on Stack in HTTP Module

Security Advisory-Buffer Overflow on Heap When Parsing Http Response in HTTP Module