Microsoft Security researchers have disclosed arguably the most high profile security vulnerabilities identified in a Huawei product to-date. Perhaps surprisingly, the finds appears to have sparked little reaction thus-far from those campaigning to ban the Chinese network hardware behemoth from European networks.
The vulnerabilities, disclosed by Microsoft’s Amit Rapaport, were rapidly patched by Huawei. Microsoft pointed to weak design as the cause of the issue: “Anomalous behaviors typically point to attack techniques perpetrated by adversaries with only malicious intent. In this case, they pointed to a flawed design that can be abused.”
The Huawei Vulnerability
Microsoft identified two, related vulnerabilities, respectively assigned CVE-2019-5242 and CVE-2019-5241. (Both were addressed in the same Huawei security advisory.)
Huawei described them as a privilege escalation vulnerability and a code execution vulnerability: “Successful exploitation may cause the attacker to execute malicious code and read/write memory. (Vulnerability ID: HWPSIRT-2018-11152)”
They were caught thanks to new security measures in Windows 10, version 1809, which add new sensors designed to spot malicious code injection initiated from the kernel.
(The tool was introduced to catch threats like DOUBLEPULSAR; a kernel backdoor used by the WannaCry ransomware to inject the main payload into user-space. The backdoor implant tool was developed by the National Security Agency (NSA) and leaked in 2017).
The find came after the alert process tree in Windows Defender Advanced Threat Protection showed “abnormal memory allocation and execution in the context of services.exe by a kernel code”, Microsoft’s security team wrote in a blog.
They traced this to an app from Huawei called PC Manager; a device management software for Huawei MateBook laptops that was identified by Microsoft as “exhibiting unusual behaviour”, with a Huawei-written driver designed to monitor the software’s performance (restarting it if it crashed) injecting code into a privileged Windows process and then running that code using an asynchronous procedure call (APC).
It is unclear why this tool was necessary; Microsoft has its own systems in place to recover crashed services. Ultimately, however, what Microsoft dubbed “design weakness” meant an attacker could hijack the driver and use it to escalate privileges: “Because watched processes are blindly launched by the watchdog when they’re terminated, the attacker-controlled executable would be invoked as a child of services.exe, running as LocalSystem, hence with elevated privileges”, Microsoft noted.
Huawei (which Microsoft described as responding and cooperating “quickly and professionally”) issued a patch on January 9. The company added: “This vulnerability was reported to Huawei PSIRT by Amit Rapaport of Microsoft Corp. Huawei would like to thank Amit Rapaport for working with us and coordinated vulnerability disclosure to protect our customers.”
The rapid response and fix may have helped temper critics, to whom the vulnerabity may otherwise have been grist to the mill of claims the Chinese company is a security risk. British security officials last year warned of “critical” shortfalls by the company posing a potential cybersecurity risk to the UK’s critical national infrastructure.
The Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board, chaired by NCSC CEO Ciaran Martin, said at the time that it can “provide only limited assurance” that risks from the company’s involvement in UK critical networks have been sufficiently mitigated, adding that it is working to remediate the engineering process issues in products already deployed in the UK, prioritising them based on risk profile.
Huawei makes everything from the routers and switches that direct traffic across the internet, to BT’s green street cabinets, to mobile transmission equipment used in masts.
A recent speech by the NCSC’s CEO suggested that officials were not supportive of an outright ban on Huawei equipment being used in the UK: “If you’ve built a telecommunications network in a way that the compromise of one supplier can cause catastrophic national harm, then you’ve built it the wrong way,” Ciaran Martin said.