Vulnerability Note VU#341526

Huawei E355 contains a direct request vulnerability

Original Release date: 06 Mar 2014 | Last revised: 06 Mar 2014

Overview

Huawei E355 USB WiFi adapter with firmware version: 21.157.37.01.910 has been reported to contain a direct request vulnerability in the web interface. (CWE-425)

Description

Huawei E355 USB WiFi adapter with firmware version: 21.157.37.01.910 has been reported to contain a direct request vulnerability in the web interface. An attacker is able to directly access specific URL's of the device's web interface to gather sensitive configuration information and also change the configuration without authenticating to the device.

The reporter, Jimson K James, has written a metasploit module to exploit the vulnerability.

Impact

A remote unauthenticated attacker on an adjacent network may be able to change the administrator's password and reconfigure the device.

Solution

We are currently unaware of a practical solution to this problem.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Huawei TechnologiesAffected12 Nov 201306 Mar 2014
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 4.3 AV:A/AC:M/Au:N/C:P/I:P/A:N
Temporal 3.3 E:U/RL:ND/RC:UC
Environmental 0.8 CDP:N/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Jimson K James for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs: CVE-2013-6031
  • Date Public: 06 Mar 2014
  • Date First Published: 06 Mar 2014
  • Date Last Updated: 06 Mar 2014
  • Document Revision: 14

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.