There's Huawei too many vulns in Chinese giant's firmware: Bug hunters slam pisspoor code

Huawei, the Chinese manufacturing giant targeted by the Trump administration as a national security threat, has some of the least secure networking products in the industry, according to Finite State.

The US-based IoT-security outfit said it analyzed more than 1.5 million files associated with 9,936 firmware images linked to 558 products in Huawei’s enterprise networking portfolio – and found them wanting. Its dataset consists of Huawei firmware over the past 14 years, up to April 2019.

"In short, we've concluded that Huawei devices have a weaker security posture than other brands, and there are significant security risks associated with using these devices," said Matt Wyckhouse, co-founder and CEO of Finite State, in a video about his organization's findings.

About 55 per cent of Huawei products, the bug hunters said in a report issued on Wednesday, had at least one potential backdoor, which is to say a serious or critical CVE-assigned flaw that an attacker may be able to exploit. This mostly covers hardcoded login credentials and remote-code execution holes, which can be leveraged to hijack kit, though some lesser flaws, such as information disclosure, will be included in that count. However you look at it, more than one in two Huawei products have serious or critical security failings, some of which could be exploited as backdoors.

The report notes that no attempt is being made to address whether any of the security flaws found might have been introduced intentionally, despite its use of the term "backdoor," which generally implies intentional technical sabotage. Finite State attempts to get around this by stating that backdoors can be both unintentional and intentional.

Huawei device firmware contains many known vulnerabilities associated with third-party and open source libraries, the report says. On average, each firmware image analyzed had 102 known CVEs, about 27 per cent of which are rated either high or critical in terms of severity.

For example, Finite State found 79 different OpenSSL versions, the oldest of which dates back to 1999. The company said it found no evidence that Huawei backports security patches into older binaries, as security-conscious vendors do.

In extreme cases, some firmware images had more than 1,400 CVEs. A spokesperson from Finite State did not immediately respond to a request for comment – The Register would like to see how firmware from other vendors fares when subject to the same automated testing. The report contends Huawei's CVE numbers are high by any standard.

Finite State's analysis does include a comparison between the Huawei CE12800, the Arista 7280R, and the Juniper EX4650. None of the three devices were perfect and in some instances the devices had comparable problems – each had close to the same level of unsafe function calls, for example. But the Huawei data center switch had the highest risk rating overall.

"In all but three categories, the Huawei device had the highest risk factor, generally by a substantial margin," the report says.

The report goes on to say there's reason to believe zero-day vulnerabilities based on memory corruption are common in Huawei devices.

'Backdoor vulnerabilities'

"Through analysis of device firmware, we discovered that there were hundreds of cases of potential backdoor vulnerabilities – improper default configurations that could allow Huawei or a malicious attacker to covertly access a user’s device," the report says. "These vulnerabilities manifested in the form of hard-coded, default user accounts and passwords, and several types of embedded cryptographic keys."

The security vendor's analysis of a subset of firmware images (1,162 related to routers, enterprise switches, 4G LTE devices, IP phones, blade chassis controllers and a few other types of gear) found 343 of the images (29 per cent) contained one or more default credentials, with 227 having a default password for the root user.

Many of the firmware images contained default and hard-coded cryptographic keys. Some 252 of the images had private keys, 62 had private host keys (for SSH servers), and 8 had an authorized_keys files, which can be used to enable backdoor access on a device.

It gets worse. After looking at Huawei's coding practices, Finite State found little enthusiasm for secure coding mechanisms: about 35 per cent of binaries had address space layout randomization (ASLR) enabled; about 12 per cent implemented relocation read only (RELRO); about 74 per cent of binaries had data execution prevention (DEP) enabled; and about 27 per cent used StackGuard to defend against stack-buffer overflows.

The firm looked for safe functions that defend against memory corruption. It found them in only 17 per cent of the functions present in the firmware. The company observes that despite Huawei's recent pledge to invest $2bn to improve the security of its products, its findings "do not indicate the type of improvement we expect to see from a company who has stated they have focused efforts and investments targeted at improving their security program."

"Based on the pervasiveness of these secure coding vulnerabilities across enterprise and consumer grade equipment produced by Huawei, we can definitively conclude that Huawei, as an organization, does not practice secure coding principles," the report says

Despite the report's insistence that it does not address whether any of the flaws may represent deliberate attempts at espionage, it nonetheless makes clear that's a possibility by pointing out that Chinese National Intelligence Law of 2016 requires all companies to assist national intelligence work – even as it cites past Huawei statements insisting the Chinese government could not force it to install backdoors.

Spokespeople for Huawei remain silent on the findings. ®

PS: As we've noted before, Huawei is not alone in shipping insecure products, just ask Cisco, though its track record in the enterprise space is not looking great, you have to admit.