Zero-Day Advisory

Fortinet Discovers Huawei Home Gateway Remote Code Execution Vulnerability

Summary

Fortinet's FortiGuard Labs has discovered an unauthenticated remote code execution vulnerability in some HG655 routers shipped by the company Huawei.

Huawei manufactures a series of network routers directly competing with Linksys and Asus routers.

A malicious user can forge an UPnP SOAP request that injects operating system commands that can be executed on the device with higher privileges.

Solutions

FortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:

Huawei.HG655.Remote.Code.Execution
Released Feb 27, 2018

Upgrade your router to version V100R001C02B023.

Additional Information

The normal usage scenario of HG655m device is to be used in a home network, in such deployment usage the attacks can only be launched through the local Ethernet interface as the UPnP service port TCP/37215 is listening by default on the LAN interface only.

Timeline

·       Dec 20 2017 – FortiGuard Labs contacts the Huawei PSIRT Team by email

·       Dec 21 2017 – The Huawei PSIRT Team replies that they have started their investigation

·       Dec 22 2017 – The Huawei PSIRT gets the vulnerability fixed but need more time to deploy the patch and protect their customers

·       Dec 23 2017 – FortiGuard Labs agrees we can postpone the disclosure

·       Jan 15 2018 - FortiGuard Labs requests updates on the disclosure timeline

·       Jan 17 2018 - The Huawei PSIRT Team requested for more time before publication

·       Feb 02 2018 - The Huawei PSIRT Team confirmed the deployment is done and we can cooperate on the disclosure plan

·       March 26 2018 – Coordinated vulnerability disclosure

Acknowledgement

This vulnerability was discovered by David Maciejak of Fortinet's FortiGuard Labs.

IPS Subscription

Fortinet customers who subscribe to Fortinet's intrusion prevention (IPS) service should be protected against this vulnerability with the appropriate configuration parameters in place. Fortinet's IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.