Huawei enterprise and broadcast products have a crypto bug. Fix it now!

Huawei has rolled out security fixes for some enterprise and broadcast products to address a cryptography issue tracked as CVE-2017-17174.

Huawei has released security updates for some enterprise and broadcast products to address a cryptography issue that was discovered in late 2017.

The vulnerability, tracked as CVE-2017-17174, is related to the implementation of an insecure encryption algorithm and could be exploited to power MiTM attack to decrypt a session key and recover the content of the entire session.

“There is a weak algorithm vulnerability in some Huawei products. A remote, unauthenticated attacker may capture traffic between clients and the affected products.” reads the security advisory  published by Huawei.

“Due to the use of insecure encryption algorithm, the attacker may decrypt the session key by some cryptanalytic operations and the traffic between the server and the client. Successfulexploit may cause informationleak.”

The following Huawei products using RSA encryption in TLS are potentially vulnerable:

  • The RSE6500 Recording and Streaming Engine version V500R002C00. A high-performance, full-HD recording and streaming engine that supports live video multicast and mobile Video on Demand (VoD).
  • The SoftCo unified communications software version V200R003C20SPCb00;
  • The VP9660video conferencing multipoint control units version V600R006C10;
  • Multiple versions of its eSpace U1981 IP telephony and enterprise communications universal SIP gateway.

Huawei rated the vulnerability as a 5.3 (medium) because it is not easy to exploit, the company has released software updates to address the flaw for all of its solution except for the unified communications software SoftCo that has been deprecated.

Every flaw discovered in products of Chinese and Russia firm trigger the alarm of governments that are already banning their solution from critical infrastructure and government offices.

In May, the Pentagon ordered retail outlets on US military bases to stop selling Huawei and ZTE products due to unacceptable security risk they pose.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.