Overview
Huawei E355 USB WiFi adapter with firmware version: 21.157.37.01.910 has been reported to contain a direct request vulnerability in the web interface. (CWE-425)
Description
Huawei E355 USB WiFi adapter with firmware version: 21.157.37.01.910 has been reported to contain a direct request vulnerability in the web interface. An attacker is able to directly access specific URL's of the device's web interface to gather sensitive configuration information and also change the configuration without authenticating to the device. The reporter, Jimson K James, has written a metasploit module to exploit the vulnerability. |
Impact
A remote unauthenticated attacker on an adjacent network may be able to change the administrator's password and reconfigure the device. |
Solution
We are currently unaware of a practical solution to this problem. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 4.3 | AV:A/AC:M/Au:N/C:P/I:P/A:N |
| Temporal | 3.3 | E:U/RL:ND/RC:UC |
| Environmental | 0.8 | CDP:N/TD:L/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
Thanks to Jimson K James for reporting this vulnerability.
This document was written by Jared Allar.
Other Information
| CVE IDs: | CVE-2013-6031 |
| Date Public: | 2014-03-06 |
| Date First Published: | 2014-03-06 |
| Date Last Updated: | 2014-03-06 14:53 UTC |
| Document Revision: | 15 |