search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Huawei networking equipment weak password cipher

Vulnerability Note VU#948096

Original Release Date: 2013-08-05 | Last Revised: 2013-10-03

Overview

Huawei networking equipment use a DES encryption algorithm for password and encryption. DES is publicly known to be easily cracked.

Description

Huawei Security Advisory Huawei-SA-20120827-01-CX600 states:

In multiple Huawei products, DES encryption algorithm is used for password and the encryption is not strong enough so it may be cracked (HWNSIRT-2012-0820).

This Vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2012-4960.

Temporary fix for this vulnerability is available. Huawei has made the version plan to resolve this vulnerability.

Impact

An attacker with access to the Huawei networking equipment encryption file may be able to crack the DES encryption algorithm to recover the system password.

Solution

Apply Update


Users are advised to read Huawei Security Advisory Huawei-SA-20120827-01-CX600 for fix information and apply updates as recommened.

Huawei Security Advisory Huawei-SA-20120827-01-CX600 states the following temporary fixes:

1. Enhance the remote login management to the equipment and only allow login within the operator’s management network.

2. Strictly manage the accounts privilege.

3. Change the password regularly.

Vendor Information

948096
Expand all

Huawei Technologies

Updated:  July 31, 2013

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-u_194373.htm

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
Temporal 5.4 E:F/RL:OF/RC:C
Environmental 5.1 CDP:LM/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Kurt Grutzmacher for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: CVE-2012-4960
Date Public: 2012-12-17
Date First Published: 2013-08-05
Date Last Updated: 2013-10-03 11:31 UTC
Document Revision: 13

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.