sb-au logo
Story image

Huawei working to patch critical security vulnerabilities

10 Jul 2019

Just when Huawei thought it was getting something of a reprieve from governments and the press, yet another piece of research highlights that the company isn't immune from security threats, but the company is working to fix them..

An Italian cybersecurity company called Swascan examined Huawei’s sites and applications.

But Swascan didn’t just pick on Huawei – the company has also researched Adobe, Microsoft, and Lenovo vulnerabilities, proving that plenty of tech companies are exposed to security issues and risks.

"In the world of cybersecurity, the principle of collaboration is finally establishing itself. The risks increase by a huge margin every year and this has mandated a cultural as well as technological paradigm shift, comments Swascan cofounder Pierguido lezzi. 

“Our experience with Huawei shows that if these values are correctly understood they can be an additional backbone to create an effective and efficient cybersecurity framework..

Huawei is proactively working with Swascan researchers to fix the vulnerabilities, which could affect three main areas: confidentiality, integrity, and availability.

CWE-119 (Improper restriction of operations within the bounds of a memory buffer): This means an attacker can read or write to memory outside the boundary of a buffer. This can corrupt memory and lead to a crash, and in some cases, it could give attackers access to ‘sensitive information’.

“If the sensitive information contains system details, such as the current buffers position in memory, this knowledge can be used to craft further attacks, possibly with more severe consequences.”

CWE-125 (Out-of-bounds read): This allows software to read data before the beginning or past the end of a buffer, which means attackers can read sensitive information from other memory locations, or they can cause a system crash.

CWE-78 (OS command injection): This allows software to “construct all or part of an OS command using externally-influenced input from an upstream component. However, it does not neutralise or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component”.

Attackers can then execute unauthorised commands that could disable software or access data indirectly. 

“Since the targeted application is directly executing the commands instead of the attacker, any malicious activities may appear to come from the application or the application's owner.”

Swascan reaffirms that Huawei is cooperating with the company, which demonstrates that there are two ingredients to security: A secure IT infrastructure and qualified staff, as well as skills and tools that cybersecurity experts provide.

Story image
Palo Alto Networks extends cloud native security platform with new modules
Palo Alto Networks has announced the availability of Prisma Cloud 2.0, including four new cloud security modules, thus extending its Cloud Native Security Platform (CNSP). More
Story image
Video: 10 Minute IT Jams - protecting data with user behaviour analytics
In this video, Forcepoint senior sales engineer and solutions architect Matthew Bant discusses the company's DLP solution, the importance of integrating compliance into security solutions, and why cybersecurity strategies should take a more people-based approach.More
Story image
Commvault expands Metallic SaaS portfolio
Metallic Cloud Storage Service brings together technology from Commvault and Microsoft Azure for security and scale.More
Story image
Video: 10 Minute IT Jams - Who is LogRhythm?
LogRhythm VP of sales for Asia Pacific Simon Howe, who discusses the company's primary offerings and services, what products the company is focused on for the future, and the infrastructure it has in the A/NZ market.More
Link image
Save the date: 28 October is the day your CX will be supercharged
Learn from the experts at Zendesk and ESG to find out how you can supercharge your customer experience approach in this exclusive online event! Register now.More
Story image
BlueVoyant acquires Managed Sentinel, builds out Microsoft MSS offerings
“Combining Managed Sentinel’s Azure Sentinel deployment expertise with BlueVoyant’s MDR capabilities will help customers operationalise and maximise Microsoft security technologies."More