Huawei 3G routers rife with flaws

South Korean security researcher Pierre Kim has revealed today that fifteen Huawei 3G routers have a slew of serious vulnerabilities – RCE, XSS, CSRF, DoS, unauthenticated firmware update – but that the company does not intend to patch them, as all those devices are in the End Of Service cycle.

Kim tested the Huawei B260A with the last available firmware (846.11.15.08.115, issued on February 20, 2013).

B260A is a 3G modem/access point that is still used by ISPs in Europe, Latin America, and Africa (Tele2 and Telia in Sweden; Tele2 and E-Plus in Germany; Orange in Slovakia, Tunisia, Niger, Armenia; Vodafone in Romania – to name just a few).

Among the issues he found are:

  • Administrator’s account name and password are stored in cleartext in a cookie
  • Remote attackers can reboot, grab the WiFi password, the Point-to-Point Protocol (PPP) password, change remote DNS servers, execute a DoS against the HTTP server, upgrade firmware, gain root shell – all without authentication.

This particular firmware is also installed on the following Huawei devices:

  • E960, WLA1GCPU
  • E968, WLA1GCYU
  • B970, WLA1GAPU
  • B932, WLB1TIPU
  • B933, WLB1TIPU
  • B220, WLA1GCYU
  • B260, WLA1GCYU
  • B270, WLA1GCYU
  • B972, WLA1GCYU
  • B200-20, WLB3TILU
  • B200-30, WLB3TILU
  • B200-40, WLB3TILU
  • B200-50, WLB3TILU
  • ?, WLA1GCPU.

Huawei confirmed that they are also vulnerable, and that they are all in the End Of Service cycle and will not be supported anymore.

“The vendor encourages people to discard existing unsupported models and to use new routers (B68L and B310),” Kim shared in the advisory.

Huawei’s PSIRT has not yet publicly commented the disclosure, as they are wont to do.

Don't miss