Swascan, the Cyber Security Firm that thanks to its Research Team had already been able to unravel the vulnerabilities of Adobe, Microsoft and Lenovo recently brought to light some critical issues of Huawei’s web applications and servers, the giant specialized in the production of systems and solutions for networks and telecommunications.
Swascan, the Italian Cyber Security company founded by Raoul Chiesa and Pierguido Iezzi, is the first cloud-based Cybersecurity Testing platform that allows to identify, analyze and solve the vulnerabilities of websites and information infrastructure.
Analysis and remediation
Through careful work, Swascan experts have identified a number of critical issues within Huawei’s web applications. The resulting Responsible Vulnerability Disclosure revealed a few vulnerabilities ranked as critical that, if exploited by Malicious Attackers or Cybercriminals, could have impacted business continuity, user’s data and information security and the regular operation of their services.
The Collaboration with Huawei
Following this discovery, Team Swascan contacted their Huawei counterparts to inform them of the vulnerabilities found and to set up a collaboration for the remediation activities needed for these flaws.
Speaking on the need of collaboration Pierguido Iezzi, Co-Founder of Swascan said: “In the world of Cyber security the principle of collaboration is finally establishing itself. The risks increase by a huge margin every year and this has mandated a cultural as well as technological Paradigm Shift. Our experience with Huawei shows that if these values are correctly understood they can be an additional backbone to create an effective and efficient Cyber Security Framework”.
The Vulnerabilities in detail
The high-level criticalities discovered were going to impact aspects of:
In detail, the vulnerabilities belonged to the following CWE categories:
- CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer): The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. If the memory accessible by the attacker can be effectively controlled, it may be possible to execute arbitrary code, as with a standard buffer overflow. If the attacker can overwrite a pointer’s worth of memory (usually 32 or 64 bits), they can redirect a function pointer to their own malicious code. Even when the attacker can only modify a single byte arbitrary code execution can be possible. Sometimes this is because the same problem can be exploited repeatedly to the same effect. Other times it is because the attacker can overwrite security-critical application-specific data – such as a flag indicating whether the user is an administrator. Out of bounds memory access will very likely result in the corruption of relevant memory, and perhaps instructions, possibly leading to a crash. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop. In the case of an out-of-bounds read, the attacker may have access to sensitive information. If the sensitive information contains system details, such as the current buffers position in memory, this knowledge can be used to craft further attacks, possibly with more severe consequences.
- CWE-125 (Out-of-bounds Read): The software reads data past the end, or before the beginning, of the intended buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash. A crash can occur when the code reads a variable amount of data and assumes that a sentinel exists to stop the read operation, such as a NUL in a string. The expected sentinel might not be located in the out-of-bounds memory, causinfg excessive data to be read, leading to a segmentation fault or a buffer overflow. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent read operation then produces undefined or unexpected results.
- CWE-78 (OS Command Injection): The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. Attackers could execute unauthorized commands, which could then be used to disable the software, or read and modify data for which the attacker does not have permissions to access directly. Since the targeted application is directly executing the commands instead of the attacker, any malicious activities may appear to come from the application or the application’s owner.
Synergy for safety
The cooperation between Swascan and Huawei reaffirms what Pierguido Iezzi pointed out: in order to face the emerging threats of the Criminal hackers, a double action is necessary: on the company side, a secure IT infrastructure and a qualified staff is necessary, together with the skills and tools that only the experts of Cyber Security can give.
Pierguido Iezzi, CyberSecurity Director
Raoul Chiesa, Swascan co-founder, InfoSec addicted