Information Disclosure Vulnerability CVE-2018-7900 Makes It Easy for Attackers to Find Huawei Devices at Risk | by NewSky Security | NewSky Security

Introduction: Not All Attack Vectors are Created Equal

By 2018, it is commonplace for attackers to deploy both IoT exploits as well as weak password attacks to increase their bot counts. However, all attack vectors are not deemed equal in the eyes of attackers and some become more popular than others. For example, the attack vectors which can infect a huge number of IoT devices are much favored than a using a vulnerability in a vendor which has only 500 devices online. Hence, in 2018 we saw CVE-2018-14847 (Mikrotik) and CVE-2014-8361 are being highly used. One commonality among them is the sheer high number of devices which can be abused using the vulnerabilities. Hence, a security loophole in a big IoT vendor can be a more critical issue than a usual one.

About CVE-2018-7900

CVE-2018–7900 makes the process of attacking a router even more simplified. Rather than doing a spray and pray technique (attack any device whether it has default credentials or not), an attacker can easily find a way to tell whether the router has default credentials without the need to connect to the device, since the router panel leaks this information. Hence the attacker can craft a ZoomEye / Shodan dork to implicitly get a list of the devices having default password.

When someone has a look on the html source code of login page, few variables are declared. One of the variables contain a specific value. By monitoring this specific value, one can come to the conclusion that the device has the default password.

This string is dorkable and when we searched ZoomEye, we got some concerning numbers on this.

How Easy CVE-2018-7900 Makes It Easy to Hack These Devices

• The attacker does not need to scan the internet for finding the devices.
• The attacker does not need to attempt a failed login anymore, or encounter a generic honeypot which doesn’t have this flag.
• The attacker can simply go to ZoomEye, find a list of devices, login, and do what they want with minimal hacking skills. As easy as that.

Responsible Disclosure and Mitigation

The issue was disclosed to Huawei as a part of NewSky Security’s responsible disclosure initiatives. Huawei was co-operative with us throughout the disclosure, showing that they take their security issues seriously.

Following is the timeline of events:

• Sep 26, 18: Issue discovered and disclosed privately to Huawei.
• Sep 26, 18: Huawei confirms that they got the mail and starts looking into the issue.
• Oct 1, 18: Huawei completes analysis and mentions it is consulting with their customers on how to resolve it.
• Nov 6, 18: Huawei has provided a fix but is working with carrier operators for complete resolution.
• Dec 5, 18: Huawei has finished communication with operators/customers and is ready for a responsible disclosure.
• Dec 19, 18: Issue is disclosed publicly.

Please note: following details have not been shared in this blog to protect the effected customers:

a) The exact variable, proof of concept details and images explaining the vulnerability.

b) The exact ZoomEye dork and the numbers of effected devices stats associated with the vulnerability.

NewSky Security IoT Halo detects weak password based as well as exploit based IoT attacks. Also, it is a good practice to change a default / weak password of any of your IoT devices as early as possible to avoid giving a low hanging fruit for IoT hackers.