Huawei Router’larda Guvenlik Acigi

Once haberin linkini vereyim : http://www.infoworld.com/d/security/hackers-reveal-critical-vulnerabilities-in-huawei-routers-defcon-198983

Huawei, biliyorsunuz, Cin devletinin destekledigi network urunleri ureticisi. Gerci son zamanlarda storage da uretmeye basladi sanirim 🙂

Eskiden dalga gecerdik, adamlar Cisco’yu kopyalaya kopyalaya Cin mali router yapiyorlar diye. Sonradan sonraya buyuk projelerde adini duymaya baslayip sasirdik tabi. Turkiye’de de Turk Telekom’da oldukca fazla isler yaptilar ve yapmaya devam ediyorlar.

Tabi gercekten buyuk omurga projelerinde fiyat avantaji ile isi aldiklari dogru. Ama bir de isin stabilite ve guvenlik tarafi var, parayla deger bicilemeyecek onemde.

Her musteri icin, onun ihtiyacina ozel bir “yama” uretmeleri gibi konular var ki, duydukca stabilite konusunda da insan guvenemiyor.

Simdi.. yukarida link’ini verdigim habere gelelim.

Oncelikle acigi bulan Felix ‘FX’ Lindner hakkinda bilgi verelim ki onun Huawei icin yaptigi tespitlerin/yorumlarin havada kalmamasi gerektigi, sozlerinin herhangi birisinin sozlerinden cok daha kiymetli oldugu anlasilsin.

“FX is well known in the computer security community and has presented his and Phenoelit’s security research on Black Hat Briefings, CanSecWest, PacSec, DEFCON, Chaos Communication Congress, MEITSEC and numerous other events. His research topics included Cisco IOS, HP printers, SAP and RIM BlackBerry. Felix holds a title as State-Certified Technical Assistant for Informatics and Information Technology as well as Certified Information Systems Security Professional.”[1]

Router’lar konusundaki calismalari da yeni degil zaten, 2009 Blackhat sunumu da Router Exploitation.[2]

Felix, Huawei AR18 ve AR28 router’larda session hijack, stack overflow ve heap overflow aciklari kesfetmis, cihazlarin da internet uzerinden kontrollerinin saldirgan tarafindan elde edilebildigini belirtmis.

Inceledigi router’lar arasinda Huawei’lerin “en kotu” guvenlik yapisina sahip oldugunu ve daha bir cok acigi barindirdigini, zaten firmware’de AR18’de 10.73000 AR28’de ise 16.420 tane sprintf() cagrisi oldugunu eklemis.

“Sprintf() olmasi ne demek?” diyeniniz varsa, sprintf(), strcat(), strcpy(), gets(), scanf() fonksiyonlari buffer overflow saldirilarina acik, guvensiz fonksiyonlardir.

Bir de web yonetim arabirimi icin session hijack eden bir perl script yazmislar. Bu da UID degiskeninde tutulan session id’leri bruteforce ediyor sanirim.

Velhasil.. Simdi bu Huawei’nin Turkiye’de hangi kritik yerlere konumlandirildigini gozumuzun onunden gecirelim.. Ben dile getiremeyecegim, hedef gostermemek icin. Ama siz dusunun ve simdi su sorularimi cevaplamaya calisin:

* Ucuz diye router veya internete acik durumdaki gateway cihaz tercih edilir mi
* Acaba Huawei’nin Cin’deki firmware’lari bu aciklardan etkileniyor mu, yoksa sadece disariya sattigi urunler mi bu durumda
* Bu aciklar kasitli olarak disariya ihrac edilen urunlerde bulunuyor olabilir mi
* Turkiye’de kac bakanlikta, kac devlet kurumunda, kac ISP’de ve kac bankada Huawei’nin urunleri internetten erisilebilir olarak pozisyonlanmis durumda

Akliniza yeni sorular gelirse onlari da siz soyleyin, ben eklerim buraya 😉

PS: Konuyla ilgili su link de oldukca guzel : http://www.senki.org/defcon-huawei-the-real-risk-and-what-you-should-do-now/

Ozellikle su kisimlari :

The “Real” Direct Risk: The real direct risk has been overlooked since the FX & Gregor’s DEFCON talk. Namely the Huawei AR18 and AR28 routers are exploitable. These exploits pose two major threats. First, companies that use these routers are vulnerable to having these routers violated and then used as a launch pad for further penetration (think the first step in a Advanced Persistent Threat – APT attack). Second, violated routers are extremely valuable to cyber-criminals who use them as part of their SPAM, Phishing, DDOS for hire, and other criminal operations. These groups constantly scan the Internet looking for routers that could be easily hacked. It is logical for these miscreants to add the Huawei AR18 and AR28 routers to their scans.

The Real In-Direst Risk: The facts presented by FX and Gregor on the quality of the code added to Huawei’s response can lead people to believe similar problems exist in other Huawei products. Lazy coding is never an isolated incident. The engineering environment that allows for poor code quality will span different product teams. If there are problems in AR18 and AR28 routers, then there might be problems in all of the other routers. This ambiguity is normally mitigated with aggressive communications between the vendor (Huawei in this case) and the network operator. Security advisories, special briefings, and updates are used to communicate action, concern, and commitment – that are all required to maintain confidence. Huawei is not doing any of this, increasing the concerns and destroying confidence.

 

[1] http://www.recurity-labs.com/content/company/team.shtml
[2] https://www.blackhat.com/presentations/bh-usa-09/LINDNER/BHUSA09-Lindner-RouterExploit-SLIDES.pdf

— FX’in DefCon’daki sunumu http://phenoelit.org/stuff/Huawei_DEFCON_XX.pdf