There's Huawei too many vulns in Chinese giant's firmware: Bug hunters slam pisspoor code

More than 1 in 2 products have serious flaws, some potentially backdoors, we're told

Huawei, the Chinese manufacturing giant targeted by the Trump administration as a national security threat, has some of the least secure networking products in the industry, according to Finite State.

The US-based IoT-security outfit said it analyzed more than 1.5 million files associated with 9,936 firmware images linked to 558 products in Huawei’s enterprise networking portfolio – and found them wanting. Its dataset consists of Huawei firmware over the past 14 years, up to April 2019.

"In short, we've concluded that Huawei devices have a weaker security posture than other brands, and there are significant security risks associated with using these devices," said Matt Wyckhouse, co-founder and CEO of Finite State, in a video about his organization's findings.

About 55 per cent of Huawei products, the bug hunters said in a report issued on Wednesday, had at least one potential backdoor, which is to say a serious or critical CVE-assigned flaw that an attacker may be able to exploit. This mostly covers hardcoded login credentials and remote-code execution holes, which can be leveraged to hijack kit, though some lesser flaws, such as information disclosure, will be included in that count. However you look at it, more than one in two Huawei products have serious or critical security failings, some of which could be exploited as backdoors.

The report notes that no attempt is being made to address whether any of the security flaws found might have been introduced intentionally, despite its use of the term "backdoor," which generally implies intentional technical sabotage. Finite State attempts to get around this by stating that backdoors can be both unintentional and intentional.

huawei offices in vilnius, lithuania

Huawei's half-arsed router patching left kit open to botnets: Chinese giant was warned years ago – then bungled it


Huawei device firmware contains many known vulnerabilities associated with third-party and open source libraries, the report says. On average, each firmware image analyzed had 102 known CVEs, about 27 per cent of which are rated either high or critical in terms of severity.

For example, Finite State found 79 different OpenSSL versions, the oldest of which dates back to 1999. The company said it found no evidence that Huawei backports security patches into older binaries, as security-conscious vendors do.

In extreme cases, some firmware images had more than 1,400 CVEs. A spokesperson from Finite State did not immediately respond to a request for comment – The Register would like to see how firmware from other vendors fares when subject to the same automated testing. The report contends Huawei's CVE numbers are high by any standard.

Finite State's analysis does include a comparison between the Huawei CE12800, the Arista 7280R, and the Juniper EX4650. None of the three devices were perfect and in some instances the devices had comparable problems – each had close to the same level of unsafe function calls, for example. But the Huawei data center switch had the highest risk rating overall.

"In all but three categories, the Huawei device had the highest risk factor, generally by a substantial margin," the report says.

The report goes on to say there's reason to believe zero-day vulnerabilities based on memory corruption are common in Huawei devices.

'Backdoor vulnerabilities'

"Through analysis of device firmware, we discovered that there were hundreds of cases of potential backdoor vulnerabilities – improper default configurations that could allow Huawei or a malicious attacker to covertly access a user’s device," the report says. "These vulnerabilities manifested in the form of hard-coded, default user accounts and passwords, and several types of embedded cryptographic keys."

The security vendor's analysis of a subset of firmware images (1,162 related to routers, enterprise switches, 4G LTE devices, IP phones, blade chassis controllers and a few other types of gear) found 343 of the images (29 per cent) contained one or more default credentials, with 227 having a default password for the root user.

Many of the firmware images contained default and hard-coded cryptographic keys. Some 252 of the images had private keys, 62 had private host keys (for SSH servers), and 8 had an authorized_keys files, which can be used to enable backdoor access on a device.

It gets worse. After looking at Huawei's coding practices, Finite State found little enthusiasm for secure coding mechanisms: about 35 per cent of binaries had address space layout randomization (ASLR) enabled; about 12 per cent implemented relocation read only (RELRO); about 74 per cent of binaries had data execution prevention (DEP) enabled; and about 27 per cent used StackGuard to defend against stack-buffer overflows.

Defeated-looking young man puts his head against table in front of laptop and pile of papers in conference room. Pic via Shutterstock

Huawei savaged by Brit code review board over pisspoor dev practices


The firm looked for safe functions that defend against memory corruption. It found them in only 17 per cent of the functions present in the firmware. The company observes that despite Huawei's recent pledge to invest $2bn to improve the security of its products, its findings "do not indicate the type of improvement we expect to see from a company who has stated they have focused efforts and investments targeted at improving their security program."

"Based on the pervasiveness of these secure coding vulnerabilities across enterprise and consumer grade equipment produced by Huawei, we can definitively conclude that Huawei, as an organization, does not practice secure coding principles," the report says

Despite the report's insistence that it does not address whether any of the flaws may represent deliberate attempts at espionage, it nonetheless makes clear that's a possibility by pointing out that Chinese National Intelligence Law of 2016 requires all companies to assist national intelligence work – even as it cites past Huawei statements insisting the Chinese government could not force it to install backdoors.

Spokespeople for Huawei remain silent on the findings. ®

PS: As we've noted before, Huawei is not alone in shipping insecure products, just ask Cisco, though its track record in the enterprise space is not looking great, you have to admit.

Other stories you might like

  • Cisco execs pledge simpler, more integrated networks
    Is this the end of Switchzilla's dashboard creep?

    Cisco Live In his first in-person Cisco Live keynote in two years, CEO Chuck Robbins didn't make any lofty claims about how AI is taking over the network or how the company's latest products would turn networking on its head. Instead, the presentation was all about working with customers to make their lives easier.

    "We need to simplify the things that we do with you. If I think back to eight or ten years ago, I think we've made progress, but we still have more to do," he said, promising to address customers' biggest complaints with the networking giant's various platforms.

    "Everything we find that is inhibiting your experience from being the best that it can be, we're going to tackle," he declared, appealing to customers to share their pain points at the show.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Intel offers 'server on a card' reference design for network security
    OEMs thrown a NetSec Accelerator that plugs into server PCIe slots

    RSA Conference Intel has released a reference design for a plug-in security card aimed at delivering improved network and security processing without requiring the additional rackspace a discrete appliance would need.

    The NetSec Accelerator Reference Design [PDF] is effectively a fully functional x86 compute node delivered as a PCIe card that can be fitted into an existing server. It combines an Intel Atom processor, Intel Ethernet E810 network interface, and up to 32GB of memory to offload network security functions.

    According to Intel, the new reference design is intended to enable a secure access service edge (SASE) model, a combination of software-defined security and wide-area network (WAN) functions implemented as a cloud-native service.

    Continue reading
  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading
  • This startup says it can glue all your networks together in the cloud
    Or some approximation of that

    Multi-cloud networking startup Alkira has decided it wants to be a network-as-a-service (NaaS) provider with the launch of its cloud area networking platform this week.

    The upstart, founded in 2018, claims this platform lets customers automatically stitch together multiple on-prem datacenters, branches, and cloud workloads at the press of a button.

    The subscription is the latest evolution of Alkira’s multi-cloud platform introduced back in 2020. The service integrates with all major public cloud providers – Amazon Web Services, Google Cloud, Microsoft Azure, and Oracle Cloud – and automates the provisioning and management of their network services.

    Continue reading
  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading

Biting the hand that feeds IT © 1998–2022