PT-2014-3016 · Huawei · Huawei E355

Jimson K James

Publicado

2014-03-11

Atualizado

2014-03-11

CVE-2013-6031

CVSS v2.0

4.3

Média

Vetor

AV:A/AC:M/Au:N/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions Huawei E355 adapter version 21.157.37.01.910

Description The issue allows remote attackers to change passwords and settings, or obtain sensitive information, due to the lack of authentication for API pages. This can be achieved via a direct request to API endpoints such as "api/wlan/security-settings", "api/device/information", "api/wlan/basic-settings", "api/wlan/mac-filter", "api/monitoring/status", or "api/dhcp/settings".

Recommendations For Huawei E355 adapter version 21.157.37.01.910, consider restricting access to the API endpoints "api/wlan/security-settings", "api/device/information", "api/wlan/basic-settings", "api/wlan/mac-filter", "api/monitoring/status", and "api/dhcp/settings" until a patch is available. As a temporary workaround, implement authentication for API pages to prevent unauthorized access. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Improper Authentication

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-287

Identificadores relacionados

CVE-2013-6031

Produtos afetados

Huawei E355

PT-2014-3016 · Huawei · Huawei E355

CVE-2013-6031

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 4