Security researchers have discovered a code execution vulnerability in one of Huawei’s LTE USB dongles (opens in new tab).
Part of Huawei’s (opens in new tab) mobile broadband dongle range, the Huawei LTE USB Stick E3372 can be plugged into a computer to enable users to browse the Internet using a LTE network.
However cybersecurity (opens in new tab) company Trustwave discovered a rather easy to exploit a vulnerability in the device. In a blog post, Trustwave’s Security Research Manager, Martin Rakhmanov explains the vulnerability exists because one of the installed files is missing appropriate access control (opens in new tab) settings.
We're looking at how our readers use VPN for a forthcoming in-depth report. We'd love to hear your thoughts in the survey below. It won't take more than 60 seconds of your time.
>> Click here to start the survey in a new window (opens in new tab)<<
- We've put together a list of the best endpoint protection (opens in new tab) software
- Here's our choice of the best malware removal (opens in new tab) software on the market
- Shield yourself with these best identity theft protection services (opens in new tab)
“All a malicious user needs to do is to replace the file with their own desired code and wait for a legitimate user to start using the cellular data service via Huawei device,” writes Rakhmanov.
Knocking on the wrong door
According to Trustwave, this affected file is automatically executed when a user plugs the dongle. It’s designed to fire up the default web browser and point it to the dongle’s device management interface.
However, Huawei hasn’t set proper permissions on the file. This enables any authenticated user on the computer to overwrite the file.
Rakhmanov explains that all a malicious user needs to do is to replace the contents of the file with their own malicious code. Now when a user plugs in the dongle, it’ll automatically execute the malicious code.
Trustwave told The Register that it’s been trying to bring the issue to Huawei’s attention for the past several months without making any headway. It turns out that they’ve been reporting the issue to the wrong address.
In any case, once it was informed through the proper channels, Huawei quickly released a patch to fix the permissions on the file.
- Protect your devices with these best antivirus software (opens in new tab)
Via The Register (opens in new tab)