sb-as logo
Story image

Huawei working to patch critical security vulnerabilities

10 Jul 2019

Just when Huawei thought it was getting something of a reprieve from governments and the press, yet another piece of research highlights that the company isn't immune from security threats, but the company is working to fix them..

An Italian cybersecurity company called Swascan examined Huawei’s sites and applications.

But Swascan didn’t just pick on Huawei – the company has also researched Adobe, Microsoft, and Lenovo vulnerabilities, proving that plenty of tech companies are exposed to security issues and risks.

"In the world of cybersecurity, the principle of collaboration is finally establishing itself. The risks increase by a huge margin every year and this has mandated a cultural as well as technological paradigm shift, comments Swascan cofounder Pierguido lezzi. 

“Our experience with Huawei shows that if these values are correctly understood they can be an additional backbone to create an effective and efficient cybersecurity framework..

Huawei is proactively working with Swascan researchers to fix the vulnerabilities, which could affect three main areas: confidentiality, integrity, and availability.

CWE-119 (Improper restriction of operations within the bounds of a memory buffer): This means an attacker can read or write to memory outside the boundary of a buffer. This can corrupt memory and lead to a crash, and in some cases, it could give attackers access to ‘sensitive information’.

“If the sensitive information contains system details, such as the current buffers position in memory, this knowledge can be used to craft further attacks, possibly with more severe consequences.”

CWE-125 (Out-of-bounds read): This allows software to read data before the beginning or past the end of a buffer, which means attackers can read sensitive information from other memory locations, or they can cause a system crash.

CWE-78 (OS command injection): This allows software to “construct all or part of an OS command using externally-influenced input from an upstream component. However, it does not neutralise or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component”.

Attackers can then execute unauthorised commands that could disable software or access data indirectly. 

“Since the targeted application is directly executing the commands instead of the attacker, any malicious activities may appear to come from the application or the application's owner.”

Swascan reaffirms that Huawei is cooperating with the company, which demonstrates that there are two ingredients to security: A secure IT infrastructure and qualified staff, as well as skills and tools that cybersecurity experts provide.

Story image
Security and operations collaboration key to success post COVID-19
“We are in an ultra-hybrid world with multi-everything, and in order to successfully navigate this landscape, ITOps, DevOps, and SecOps teams need to more closely align."More
Story image
Why best-practice threat data management provides confident automation
Understanding an organisation’s threat landscape requires having both the right threat data sources and the proper prioritisation to derive actionable threat intelligence for your organisation. More
Story image
Report reveals relationship between boardroom and cybersecurity investments
“While boards are definitely listening and stepping up with increased budget for cybersecurity, they tend to view any investment as a cost rather than adding business value."More
Story image
BlueVoyant acquires Managed Sentinel, builds out Microsoft MSS offerings
“Combining Managed Sentinel’s Azure Sentinel deployment expertise with BlueVoyant’s MDR capabilities will help customers operationalise and maximise Microsoft security technologies."More
Story image
BlackBerry, Microsoft enter partnership for Teams integration
"Integrating BlackBerry AtHoc will ensure that any organisation managing critical events using Teams is able to contact, alert, and account for everyone within the organisation directly."More
Story image
Interview: How cyber hygiene supports security culture - ThreatQuotient
We spoke with ThreatQuotient’s APJC regional director Anthony Stitt to dig deeper into cyber hygiene, security culture, threat intelligence, and the tools that support them.More