Huawei has gagged infosec researchers from discussing now-patched critical vulnerabilities in the Chinese giant's web systems that could have been exploited to steal customer information and derail the manufacturer's operations.
A security research team at Italian outfit Swascan told The Register on Monday that, within the past month, it privately warned Huawei of flaws in the telecoms kit maker's websites and online services, and that the exploitable bugs were, we're told, duly fixed up.
However, it is unclear which parts of the Chinese giant's web systems were at risk, what kinds of information could have been stolen or tampered with, which sections of the manufacturer's operations were potentially affected, and whether or not the holes were exploited by intruders. Huawei has refused to comment. Swascan is banned from discussing it further, likely under an NDA as part of Huawei's vulnerability disclosure procedures.
"Swascan experts have identified a number of critical issues within Huawei’s infrastructure and web applications," the Swascan team at least stated in its Huawei-approved press statement on Sunday.
"The resulting responsible vulnerability disclosure revealed a few vulnerabilities ranked as critical that, if exploited by malicious attackers or cybercriminals, could have impacted business continuity, user’s data and information security and the regular operation of their services."
When we pressed Swascan cofounder Pierguido Iezzi for more details, he told us: "Sorry, but we cannot give more details and/or information about the vulnerabilities discovered. The press release has been approved directly by Huawei."
It is understood hackers aware of these critical vulnerabilities would have been able to exploit the programming blunders over the internet as the vulnerable web systems were public facing.
There's Huawei too many vulns in Chinese giant's firmware: Bug hunters slam pisspoor codeREAD MORE
All Huawei has allowed Swascan to reveal is the types of bugs found: namely, out-of-bounds memory writes, out-of-bounds memory reads, and operating system command injection. Critical details including the number of holes found, the names of the patched services, any CVE numbers for the flaws, whether the bugs were exploited by miscreants, and when the patches were implemented, have all been omitted from the Huawei-sanitized Swascan report.
For what it's worth, out-of-bounds memory writes typically involve overflowing a memory buffer with more data than expected, allowing a hacker to commandeer the execution flow of the attacked program. However, there are other types of out-of-bounds writes, so it's not too helpful a description. Out-of-bounds memory reads can be used to steal information, or gain knowledge of the running software's internals to defeat defenses such as ASLR. Again, it's not very specific. Command injection does what it says on the tin, though there are many ways to achieve it.
Now, Huawei is under no obligation to talk about its security flaws. It could have gagged Swascan completely: plenty of companies demand silence from those who privately disclose vulnerabilities. However, given that customer data and operations were apparently at risk, Huawei's secrecy in this matter will raise concerns. In the past, it has failed to implement patches properly, and been slammed for pathetic software engineer practices. Perhaps it fears it may not have fixed up all of its holes, and thus doesn't want people poking around? Perhaps it's embarrassed by its coding screwups? But everyone has bugs.
Of course, it could be that the bugs weren't all that serious. But why would Huawei then remain silent?
This opaqueness comes as Huawei finds itself under the microscope for the security of its products and the supposedly close relationship the manufacturer enjoys with officials in China – a country so authoritarian it censored Winnie the Pooh. Huawei insists it operates independently of its Middle Kingdom masters.
The US government has made a point of publicly swearing off the use of any Huawei products, citing espionage concerns, and has been leaning on its allies to institute their own policies to exclude Huawei from providing any of the products used with new or existing wireless broadband networks.
While the biz was recently given hope that Washington DC might walk back the ban, government officials say they have no plans to do so at the moment. ®