Thursday 24 July 2014

US warns of Huawei WiFi modem XSS security threat

US CERT finds flaw in Huawei tech
The US Computer Emergency Response Team (CERT) has issued a warning alerting businesses of a flaw in Huawei's popular E355 wireless broadband modem that could be leveraged by hackers to mount cross-site scripting attacks.
The CERT team issued the warning on Monday, revealing that the flaw could leave people connecting to the internet or a cellular network using the modem vulnerable to cyber strikes.
"Huawei E355 wireless broadband modems include a web interface for administration and additional services. The web interface allows users to receive SMS messages using the connected cellular network," explained the advisory.
"The web interface is vulnerable to a stored cross-site scripting vulnerability. The vulnerability can be exploited if a victim views SMS messages that contain JavaScript using the web interface. A malicious attacker may be able to execute arbitrary script in the context of the victim's browser."
Huawei released an advisory on the issue in June and confirmed it is working on a fix. “Huawei has analysed and investigated the vulnerability and informed involved customers. Huawei has prepared a fixing plan and started the development and test of fixed versions. Huawei will update the Security Notice if any progress is made," read the advisory.
FireEye director of technology strategy Jason Steer told V3 hackers could use the flaw for a variety of purposes. "Is it bad? Yes, XSS is a high-severity software flaw, because of its prevalence and its ability be used by attackers to trick users into giving away sensitive information such as session cookies," he said.
"By allowing hostile JavaScript to be executed in a user's browser they can do a number of things. The most popular things are performing account takeovers to steal money, goods and website defacement. If you could get an admin account then you can start changing settings and having other impacts as well."
It is currently unclear if hackers are actively exploiting the flaw but Steer said he would be surprised if it was not.
"I think it's likely hackers are targeting it. I could think of a number of scenarios where having access to the hotspot configuration might be helpful, especially if I wanted to create public hotspot and start to eavesdrop on other users looking for free WiFi to go online," he said.
The CERT team recommended people using the Huawei model temporarily disable scripting in their web browser to avoid falling victim to attack while Huawei works on its fix. "We are currently unaware of a practical solution to this problem. In the meantime, please consider disabling scripting in your web browser," it said.
ESET senior research fellow David Harley mirrored CERT's sentiment and told V3 that, if left unchecked, the flaw definitely has the potential to cause harm.
"If a malicious script was reflected back to the victim's browser and executed, it might be serious: XSS attacks have wide scope in principle. If I was using the vulnerable modem, I'd certainly make sure I had scripting disabled or use an add-on that whitelists scripts," he said.
Huawei is one of many telecoms technology providers to have flaws found in its products in recent weeks. Cisco patched a security flaw affecting multiple versions of its Small Office/Home Office (SoHo) routers on Friday.

No comments:

Post a Comment