This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy

Security Advisory-Two Security Vulnerabilities in the ME906 Wireless Module

  • SA No:Huawei-SA-20150805-01-ME906
  • Initial Release Date: Aug 05, 2015
  • Last Release Date: Nov 19, 2015

ME906 is a mobile Internet access module. The module supports LTE, WCDMA, EVDO, and GSM. The product uses the M.2 interface, supports Windows 7 and Windows 8.1, and is intended for laptop and tablet OEM.

 

This security advisory (SA) describes the impact of two vulnerabilities. These vulnerabilities are referenced in this document as follows:

The upgrade package of the ME906 wireless module contains the hash values of the root account and password. An attacker can obtain the password of the root account through reverse cracking, connect to the serial port of the wireless module, and enter the root account and password to log in to the operating system of the module. (HWPSIRT-2015-02009)

This Vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2015-5367.

This module implements upgrade check using CRC16, which is insecure. Much study is done for reversely cracking this algorithm. (HWPSIRT-2015-06032)

This Vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2015-5368.

Product Name

Affected Version

Solved version

ME906E

Earlier than  ME906ETCPU-V100R002B500D00SP13C1803 versions

ME906ETCPU-V100R002B500D00SP13C1803

ME906V

Earlier than  ME906VTCPU-V100R002B430D28SP01C00 versions

ME906VTCPU-V100R002B430D28SP01C00

ME906J

ME906JTCPU-V100R002B430D28SP00C00 and earlier versions

ME906JTCPU-V100R002B430D28SP01C00

ME906JTCPU-V100R002B430D28SP02C00

 

 

 

 

 

 

 

 

 

 

 

 

 

Note:If the end user requests a version upgrade, please contact the vendor to upgrade the version and fix the vulnerability.

HWPSIRT-2015-02009: An attacker can exploit this vulnerability to obtain the root permission, access the system by connecting the serial port, and view or modify configuration.

HWPSIRT-2015-06032: An attacker can exploit this vulnerability to tamper with the upgrade package, leading to an upgrade failure or the upgrade of an incorrect package. As a result, services may become unavailable.

The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/).

HWPSIRT-2015-02009:

Base Score: 6.9 (L/AC:M/Au:N/C:C/I:C/A:C)

Temporal Score: 5.7 (E:F/RL:O/RC:C)

 

HWPSIRT-2015-06032:

Base Score: 7.8(AV:N/AC:M/Au:N/C:N/I:P/A:C)

Temporal Score: 6.5 (E:F/RL:O/RC:C)

HWPSIRT-2015-02009:

The upgrade package of the ME906 wireless module contains the hash values of the root account and password. An attacker can obtain the password of the root account through reverse cracking.

The ME906 wireless module provides a debugging serial port at the rear for troubleshooting, opening a way for physical cracking by hackers. The hackers can connect to the serial port of the wireless module, and enter the root account and password to log in to the operating system of the module.

HWPSIRT-2015-06032:

This module implements upgrade check using CRC16, which is insecure. Much study is done for reversely cracking this algorithm. Hackers may change or add a code segment to the upgrade file, recalculate a CRC value, and tamper with the firmware of this module through CRC check during upgrade.

Customers should contact Huawei TAC (Huawei Technical Assistance Center) to request the upgrades. For TAC contact information, please refer to Huawei worldwide website at http://www.huawei.com/en/security/psirt/report-vulnerabilities/index.htm.


This vulnerability was reported privately to Huawei by Mickey Shkatov from Intel Advanced Threat Research Team and Jesse Michael from Intel. Huawei expresses our appreciation for Mickey Shkatov’s and Jesse Michael’s coordinated vulnerability disclosure with Huawei.

Huawei PSIRT is not aware of any malicious use of the vulnerabilities described in this advisory.

For security problems about Huawei products and solutions, please contactPSIRT@huawei.com.

For general problems about Huawei products and solutions, please directly contact Huawei TAC (Huawei Technical Assistance Center) to request the configuration or technical assistance.


2015-11-19 V1.1 UPDATE Updated the “Software Versions and Fixes” element
2015-08-05 V1.0 INITIAL

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.


Complete information for providing feedback on security vulnerability of Huawei products, getting support for Huawei security incident response services, and obtaining Huawei security vulnerability information, is available on Huawei's worldwide website at http://www.huawei.com/en/security/psirt/.