Vulnerability Note VU#948096

Huawei networking equipment weak password cipher

Original Release date: 05 Aug 2013 | Last revised: 03 Oct 2013

Overview

Huawei networking equipment use a DES encryption algorithm for password and encryption. DES is publicly known to be easily cracked.

Description

Huawei Security Advisory Huawei-SA-20120827-01-CX600 states:

    In multiple Huawei products, DES encryption algorithm is used for password and the encryption is not strong enough so it may be cracked (HWNSIRT-2012-0820).

    This Vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2012-4960.

    Temporary fix for this vulnerability is available. Huawei has made the version plan to resolve this vulnerability.

Impact

An attacker with access to the Huawei networking equipment encryption file may be able to crack the DES encryption algorithm to recover the system password.

Solution

Apply Update

Users are advised to read Huawei Security Advisory Huawei-SA-20120827-01-CX600 for fix information and apply updates as recommened.

Huawei Security Advisory Huawei-SA-20120827-01-CX600 states the following temporary fixes:


    1. Enhance the remote login management to the equipment and only allow login within the operator’s management network.

    2. Strictly manage the accounts privilege.

    3. Change the password regularly.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Huawei TechnologiesAffected-31 Jul 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
Temporal 5.4 E:F/RL:OF/RC:C
Environmental 5.1 CDP:LM/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Kurt Grutzmacher for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

  • CVE IDs: CVE-2012-4960
  • Date Public: 17 Dec 2012
  • Date First Published: 05 Aug 2013
  • Date Last Updated: 03 Oct 2013
  • Document Revision: 13

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.