US warns of Huawei WiFi modem XSS security threat

US CERT finds flaw in Huawei tech

The US Computer Emergency Response Team (CERT) has issued a warning alerting businesses of a flaw in Huawei’s popular E355 wireless broadband modem that could be leveraged by hackers to mount cross-site scripting attacks.

The CERT team issued the warning on Monday, revealing that the flaw could leave people connecting to the internet or a cellular network using the modem vulnerable to cyber strikes.

“Huawei E355 wireless broadband modems include a web interface for administration and additional services. The web interface allows users to receive SMS messages using the connected cellular network,” explained the advisory.

“The web interface is vulnerable to a stored cross-site scripting vulnerability. The vulnerability can be exploited if a victim views SMS messages that contain JavaScript using the web interface. A malicious attacker may be able to execute arbitrary script in the context of the victim’s browser.”

Huawei had not responded to V3‘s request for comment on the security warning at the time of publication.

FireEye director of technology strategy Jason Steer told V3 hackers could use the flaw for a variety of purposes. “Is it bad? Yes, XSS is a high-severity software flaw, because of its prevalence and its ability be used by attackers to trick users into giving away sensitive information such as session cookies,” he said.

“By allowing hostile JavaScript to be executed in a user’s browser they can do a number of things. The most popular things are performing account takeovers to steal money, goods and website defacement. If you could get an admin account then you can start changing settings and having other impacts as well.”

It is currently unclear if hackers are actively exploiting the flaw but Steer said he would be surprised if it was not.

“I think it’s likely hackers are targeting it. I could think of a number of scenarios where having access to the hotspot configuration might be helpful, especially if I wanted to create public hotspot and start to eavesdrop on other users looking for free WiFi to go online,” he said.

The CERT team recommended people using the Huawei model temporarily disable scripting in their web browser to avoid falling victim to attack. “We are currently unaware of a practical solution to this problem. In the meantime, please consider disabling scripting in your web browser,” it said.

ESET senior research fellow David Harley mirrored CERT’s sentiment and told V3 that, if left unchecked, the flaw definitely has the potential to cause harm.

“If a malicious script was reflected back to the victim’s browser and executed, it might be serious: XSS attacks have wide scope in principle. If I was using the vulnerable modem, I’d certainly make sure I had scripting disabled or use an add-on that whitelists scripts,” he said.

Huawei is one of many telecoms technology providers to have flaws found in its products in recent weeks. Cisco patched a security flaw affecting multiple versions of its Small Office/Home Office (SoHo) routers on Friday.

If the article suppose to have a video or a photo gallery and it does not appear on your screen, please Click Here

22 July 2014 | 1:36 pm – Source: v3.co.uk

Leave a Reply

Your email address will not be published.