SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Huawei working to patch critical security vulnerabilities
Wed, 10th Jul 2019
FYI, this story is more than a year old

Just when Huawei thought it was getting something of a reprieve from governments and the press, yet another piece of research highlights that the company isn't immune from security threats, but the company is working to fix them..

An Italian cybersecurity company called Swascan examined Huawei's sites and applications.

But Swascan didn't just pick on Huawei – the company has also researched Adobe, Microsoft, and Lenovo vulnerabilities, proving that plenty of tech companies are exposed to security issues and risks.

"In the world of cybersecurity, the principle of collaboration is finally establishing itself. The risks increase by a huge margin every year and this has mandated a cultural as well as technological paradigm shift, comments Swascan cofounder Pierguido lezzi.

“Our experience with Huawei shows that if these values are correctly understood they can be an additional backbone to create an effective and efficient cybersecurity framework..

Huawei is proactively working with Swascan researchers to fix the vulnerabilities, which could affect three main areas: confidentiality, integrity, and availability.

CWE-119 (Improper restriction of operations within the bounds of a memory buffer): This means an attacker can read or write to memory outside the boundary of a buffer. This can corrupt memory and lead to a crash, and in some cases, it could give attackers access to ‘sensitive information'.

“If the sensitive information contains system details, such as the current buffers position in memory, this knowledge can be used to craft further attacks, possibly with more severe consequences.

CWE-125 (Out-of-bounds read): This allows software to read data before the beginning or past the end of a buffer, which means attackers can read sensitive information from other memory locations, or they can cause a system crash.

CWE-78 (OS command injection): This allows software to “construct all or part of an OS command using externally-influenced input from an upstream component. However, it does not neutralise or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component”.

Attackers can then execute unauthorised commands that could disable software or access data indirectly.

“Since the targeted application is directly executing the commands instead of the attacker, any malicious activities may appear to come from the application or the application's owner.

Swascan reaffirms that Huawei is cooperating with the company, which demonstrates that there are two ingredients to security: A secure IT infrastructure and qualified staff, as well as skills and tools that cybersecurity experts provide.