Click For Photo: https://regmedia.co.uk/2018/10/15/shutterstock_huawei_office.jpg
Exclusive Huawei bungled its response to warnings from an ISP's code review team about a security vulnerability common across its home routers – patching only a subset of the devices rather than all of its products that used the flawed firmware.
Years later, those unpatched Huawei gateways, still vulnerable and still in use by broadband subscribers around the world, were caught up in a Mirai-variant botnet that exploited the very same hole flagged up earlier by the ISP's review team.
Register - ISP - Vulnerability - Assessment - Huawei
The Register has seen the ISP's vulnerability assessment given to Huawei in 2013 that explained how a programming blunder in the firmware of its HG523a and HG533 broadband gateways could be exploited by hackers to hijack the devices, and recommended the remote-command execution hole be closed.
Our sources have requested anonymity.
Security - Assessment - ISP - Huawei - Broadband
After receiving the security assessment, which was commissioned by a well-known ISP, Huawei told the broadband provider it had fixed the vulnerability, and had rolled out a patch to HG523a and HG533 devices in 2014, our sources said. However, other Huawei gateways in the HG series, used by other internet providers, suffered from the same flaw because they used the same internal software, and remained vulnerable and at risk of attack for years because Huawei did not patch them.
One source described the bug as a "trivially exploitable remote code execution issue in the router."
Vulnerability - Firmware - UPnP - Handling - Code
The vulnerability, located in the firmware's UPnP handling code, was uncovered by other researchers in more Huawei routers years later, and patched by the manufacturer, suggesting the Chinese giant was tackling the security hole whack-a-mole-style, rolling out fixes only when someone new discovered and reported the bug.
El Reg has studied Huawei's home gateway firmware, and found blocks of code, particularly in the UPnP component, reused across multiple device models, as you'd expect. Unfortunately, Huawei has chosen to patch the models...
Wake Up To Breaking News!