Huawei enterprise comms kit has a TLS crypto bug

Huawei has rolled patches to various enterprise and broadcast products to fix a cryptography bug.

In late 2017 (inferred from the bug's Common Vulnerabilities and Exposures entry, CVE-2017-17174, which was reserved in December), the company discovered some products had an insecure encryption algorithm.

The flaw could allow a person-in-the-middle to decrypt a session key and recover the content of the session.

The products affected are: the RSE6500 recording and streaming engine (version V500R002C00); the now-deprecated SoftCo unified communications software (version V200R003C20SPCb00), the VP9660 videoconferencing multipoint control units (version V600R006C10); and multiple versions of its eSpace U1981 IP telephony and enterprise communications universal SIP gateway.

If any of these are using RSA encryption in TLS, they're potentially vulnerable.

Huawei's advisory rates the vulnerability as a 5.3 (medium), because traffic interception and decryption are non-trivial activities.

Fixed versions are available for all products except SoftCo, whose owners are advised to upgrade to the eSpace U1981.

The optics of the disclosure are delicious, given the USA and Australia consider Huawei a danger to national security. Knowing the company is also a danger to its users - and over the kind of security matter you'd hope an alleged espionage ally would nail every time - looks like a very fortunate blunder. ®