CSP-CERT® Vulnerability Report:
Huawei E5330 Cross Site Request Forgery

by CSP CERT® Red Team
posted September 2018



The CSP CERT® Vulnerability Research Team discovered a cross-site request forgery vulnerability on Huawei E5330 Mobile WiFi which was previously distributed by local telecoms with the following software and hardware versions:

Hardware version: CH1E5330SM
Software version: 21.210.09.00.158
Web UI version: 15.100.09.00.158

Vulnerability Information

CWE-352: Cross-Site Request Forgery (CSRF) - Assigned to be included in CVE-2014-5395

The Mobile WiFi having the said firmware version doesn't have any protection from cross-site request forgery attacks. If a user is logged-in as an administrator while visiting a crafted webpage containing a request to change the current state of the device, the device will process the request accordingly. A malicious request can only happen if the user has an active session which also reduces the risk for this vulnerability.

Impact

If the user has an active administrator session and a malicious webpage is visited, a remote attacker can hijack the authentication to process a request. This request can be for modification of the current device's settings or send SMS text which can lead to a malicious campaign like sending SPAM or phishing links.

Mitigation

According to Huawei, they have already distributed a software fix version 21.210.21.00.158 since 2015 that should have addressed the issue. The users who still has the affected version should contact the service center directly to have their firmware updated.

References

Vendor Information

Vendor: Huawei
Date Notified: August 1, 2018
Public Disclose: September 10, 2018