sb-eu logo
Story image

Huawei working to patch critical security vulnerabilities

10 Jul 2019

Just when Huawei thought it was getting something of a reprieve from governments and the press, yet another piece of research highlights that the company isn't immune from security threats, but the company is working to fix them..

An Italian cybersecurity company called Swascan examined Huawei’s sites and applications.

But Swascan didn’t just pick on Huawei – the company has also researched Adobe, Microsoft, and Lenovo vulnerabilities, proving that plenty of tech companies are exposed to security issues and risks.

"In the world of cybersecurity, the principle of collaboration is finally establishing itself. The risks increase by a huge margin every year and this has mandated a cultural as well as technological paradigm shift, comments Swascan cofounder Pierguido lezzi. 

“Our experience with Huawei shows that if these values are correctly understood they can be an additional backbone to create an effective and efficient cybersecurity framework..

Huawei is proactively working with Swascan researchers to fix the vulnerabilities, which could affect three main areas: confidentiality, integrity, and availability.

CWE-119 (Improper restriction of operations within the bounds of a memory buffer): This means an attacker can read or write to memory outside the boundary of a buffer. This can corrupt memory and lead to a crash, and in some cases, it could give attackers access to ‘sensitive information’.

“If the sensitive information contains system details, such as the current buffers position in memory, this knowledge can be used to craft further attacks, possibly with more severe consequences.”

CWE-125 (Out-of-bounds read): This allows software to read data before the beginning or past the end of a buffer, which means attackers can read sensitive information from other memory locations, or they can cause a system crash.

CWE-78 (OS command injection): This allows software to “construct all or part of an OS command using externally-influenced input from an upstream component. However, it does not neutralise or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component”.

Attackers can then execute unauthorised commands that could disable software or access data indirectly. 

“Since the targeted application is directly executing the commands instead of the attacker, any malicious activities may appear to come from the application or the application's owner.”

Swascan reaffirms that Huawei is cooperating with the company, which demonstrates that there are two ingredients to security: A secure IT infrastructure and qualified staff, as well as skills and tools that cybersecurity experts provide.

Story image
Forescout and ServiceNow advance tech partnership to protect critical infrastructure
Forescout and ServiceNow have announced they are advancing their partnership for enhanced operational technology (OT) and industrial IoT capabilities, with an aim of helping organisations to protect critical infrastructure from cyber threats.More
Story image
A third of millennials think they're 'too boring' to be victim of cyber attack
While many millennials are concerned at how their data is being used and whether they are being targeted by cyber-attackers, according to Kaspersky any potential action taken to tighten their online security is at ‘the bottom of their to-do list’.More
Story image
Internet outages drastically increased during COVID-19 lockdowns, report finds
Global internet disruptions increased 63% in March, with internet service providers hit the hardest. This is according to the 2020 Internet Performance Report from ThousandEyes, the internet and cloud intelligence company.More
Story image
Interview: ThreatQuotient champions threat intelligence through virtual 'situation rooms'
To understand what it involves and some of the collaboration challenges that come with distributing threat intelligence amongst specialised security teams, we spoke to ThreatQuotient APJC regional director Anthony Stitt.More
Story image
Cloud breaches set to increase in velocity and scale - Accurics
“While the adoption of cloud native infrastructure such as containers, serverless, and servicemesh is fuelling innovation, misconfigurations are becoming commonplace and creating serious risk exposure for organisations."More
Story image
Fortinet reports total revenue of $615.5 million
Strong demand for secure SD-WAN and work-from-home capabilities helped power 18% second quarter revenue growth. More