Huawei has belatedly fixed an embarrassing vulnerability in a USB connectivity dongle, spotted by Trustwave, after The Register intervened.
The LTE USB Stick E3372 device contains a SIM card. Inserting it into a laptop gives you LTE connectivity – handy for working on the move or in a location without Wi-Fi or Ethernet available.
Yet when infosec firm Trustwave’s Spiderlabs division took a closer look at the stick last year, its researchers found a security blunder that affects macOS users: the USB stick acts as a storage drive that includes software to install to manage the dongle. This software creates a root-owned script file on the file system that can be overwritten by any user. That can be used by rogue accounts, or malware on the machine, to fully compromise the Mac. And that script file is supposed to run every time the dongle is plugged in.
Ziv Mador, Trustwave’s research veep, told The Register: “What we found is that when the user logs into the device, there is a file that they install, during setup time on that laptop on that computer. And the file has the information, what executable to run when the USB dongle is plugged in.”
Due to the sloppy file permissions, Mador said, any low-privileged user of the host device could alter the script's contents and have an arbitrary program auto-run whenever the dongle was plugged in. This, he said, presented a security risk: a malicious entity could use this to gain a foothold on the device, and thence to any corporate network it was connected to.
- What to do about open source vulnerabilities? Move fast, says Linux Foundation expert
- The Fuchsia is now. Google's operating system lands on real-world consumer devices, starting with 2018's Nest Hub
- Eufycam Wi-Fi security cameras streamed video feeds from other people's homes
- Not keen on a 5G mast in your street? At least it'd be harder for crackpots to burn down 'a flying cell tower in orbit'
While the odds of a successful attack on a multi-user Mac requiring authenticated local access, and an external USB dongle being plugged in, are low, the issue uncovered by Trustwave was nonetheless a genuine vuln. So the firm tried to report it to Huawei.
“We tried contacting them multiple ways over email using the webform. No response. We tried over and over again for months, no response,” said Mador. Trustwave later elaborated that it had tried contacting “multiple security and support email addresses” by email in October 2020, and after getting no response by December it had phoned Huawei’s US support line and tried emailing an address given by the phone agent.
After The Register asked Huawei about the vuln this past Friday, the Chinese mega-corp managed to sort out a security advisory and related patch, which went live this morning.
A Huawei spokesperson told us: "Customer security is Huawei’s top priority and like all responsible businesses if vulnerabilities are discovered we encourage people to report them to our Product Security Incident Response Team - PSIRT@huawei.com."
We understand that Trustwave did not contact PSIRT.
Huawei has a history of a less than coherent security posture. The Huawei Cyber Security Evaluation Centre (HCSEC), the British body charged with scrutinising its mobile network infrastructure firmware, has repeatedly found pisspoor coding practices and outdated libraries being used in its products.
Similarly, the giant fell foul of researchers for consumer rights org Which?, which discovered that outdated routers supplied by Huawei (and to be fair, also by others - none of whom patched their kit) were still in use by some ISPs’ customers despite no updates having been issued for years.
While Huawei deservedly gets flak for those vulns and similar behaviour in its consumer and prosumer-facing product lines, this isn’t unique. Netgear summarily abandoned 45 small routers and switches despite being told about actively exploited vulns in its firmware. ®