search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Huawei E355 contains a direct request vulnerability

Vulnerability Note VU#341526

Original Release Date: 2014-03-06 | Last Revised: 2014-03-06

Overview

Huawei E355 USB WiFi adapter with firmware version: 21.157.37.01.910 has been reported to contain a direct request vulnerability in the web interface. (CWE-425)

Description

Huawei E355 USB WiFi adapter with firmware version: 21.157.37.01.910 has been reported to contain a direct request vulnerability in the web interface. An attacker is able to directly access specific URL's of the device's web interface to gather sensitive configuration information and also change the configuration without authenticating to the device.

The reporter, Jimson K James, has written a metasploit module to exploit the vulnerability.

Impact

A remote unauthenticated attacker on an adjacent network may be able to change the administrator's password and reconfigure the device.

Solution

We are currently unaware of a practical solution to this problem.

Vendor Information

341526
Expand all

Huawei Technologies

Notified:  November 12, 2013 Updated:  March 06, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 4.3 AV:A/AC:M/Au:N/C:P/I:P/A:N
Temporal 3.3 E:U/RL:ND/RC:UC
Environmental 0.8 CDP:N/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Jimson K James for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs: CVE-2013-6031
Date Public: 2014-03-06
Date First Published: 2014-03-06
Date Last Updated: 2014-03-06 14:53 UTC
Document Revision: 14

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.