search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Huawei networking equipment weak password cipher

Vulnerability Note VU#948096

Original Release Date: 2013-08-05 | Last Revised: 2013-10-03


Huawei networking equipment use a DES encryption algorithm for password and encryption. DES is publicly known to be easily cracked.


Huawei Security Advisory Huawei-SA-20120827-01-CX600 states:

In multiple Huawei products, DES encryption algorithm is used for password and the encryption is not strong enough so it may be cracked (HWNSIRT-2012-0820).

This Vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2012-4960.

Temporary fix for this vulnerability is available. Huawei has made the version plan to resolve this vulnerability.


An attacker with access to the Huawei networking equipment encryption file may be able to crack the DES encryption algorithm to recover the system password.


Apply Update

Users are advised to read Huawei Security Advisory Huawei-SA-20120827-01-CX600 for fix information and apply updates as recommened.

Huawei Security Advisory Huawei-SA-20120827-01-CX600 states the following temporary fixes:

1. Enhance the remote login management to the equipment and only allow login within the operator’s management network.

2. Strictly manage the accounts privilege.

3. Change the password regularly.

Vendor Information


Huawei Technologies Affected

Updated:  July 31, 2013



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

CVSS Metrics

Group Score Vector
Base 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
Temporal 5.4 E:F/RL:OF/RC:C
Environmental 5.1 CDP:LM/TD:M/CR:ND/IR:ND/AR:ND



Thanks to Kurt Grutzmacher for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: CVE-2012-4960
Date Public: 2012-12-17
Date First Published: 2013-08-05
Date Last Updated: 2013-10-03 11:31 UTC
Document Revision: 14

Sponsored by CISA.