Information disclosure permite identificar routers Huawei com passwords default

Information disclosure permite identificar routers Huawei com passwords default.

Alguns routers da Huawei foram afetados por uma falha que pode ser explorada pelos atacantes de forma a determinarem se a password default está atualmente disponível como barreira de proteção nos dispositivos.

Ankit Anubhav, um dos principais investigadores da NewSky Security, foi quem descobriu uma vulnerabilidade em alguns modelos de routers da Huawei.

A falha, identificada como CVE-2018-7900, reside no painel de administração do router e permite que informações de credenciais vazem. Um adversário pode usar ferramentas IoT, como o ZoomEye ou o Shodan, para varrer a Internet e identificar dispositivos com passwords padrão definidas.

“CVE-2018–7900 makes the process of attacking a router even more simplified. Rather than doing a spray and pray technique (attack any device whether it has default credentials or not), an attacker can easily find a way to tell whether the router has default credentials without the need to connect to the device, since the router panel leaks this information.” reads the blog post published by the expert.
“Hence the attacker can craft a ZoomEye / Shodan dork to implicitly get a list of the devices having default password. “

O especialista apontou que, ao analisar o código-fonte HTML da página de login, é possível observar que algumas variáveis são declaradas e uma delas contém um valor específico. Ao analisar esse valor, é possível determinar se o dispositivo possui a password padrão.

“How Easy CVE-2018-7900 Makes It Easy to Hack These Devices” continues the expert

“The attacker does not need to scan the internet for finding the devices.
The attacker does not need to attempt a failed login anymore, or encounter a generic honeypot which doesn’t have this flag.
The attacker can simply go to ZoomEye, find a list of devices, login, and do what they want with minimal hacking skills. As easy as that.”

A Huawei já corrigiu a vulnerabilidade, mas está a trabalhar com as operadoras para resolução completa da falha.

A NewSky não divulgará detalhes da falha para evitar sua exploração in-the-wild.

Timeline da vulnerabilidades:

Sep 26, 18: Issue discovered and disclosed privately to Huawei.
Sep 26, 18: Huawei confirms that they got the mail and starts looking into the issue.
Oct 1, 18: Huawei completes analysis and mentions it is consulting with their customers on how to resolve it.
Nov 6, 18: Huawei has provided a fix but is working with carrier operators for complete resolution.
Dec 5, 18: Huawei has finished communication with operators/customers and is ready for a responsible disclosure.
Dec 19, 18: Issue is disclosed publicly.

Pedro Tavares

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.

In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.