[afnog] Vulnerable Huawei modem
Jean-Robert Hountomey
hrobert at africacert.org
Wed Oct 18 08:35:10 UTC 2017
Hi Logan, thanks for your efforts to help all of us. I am not sure this
is the channel or the list. One always try to coordinate vulnerability
findings with the vendor before public disclosure. Also When one does
not agree with the vendor, there are third party coordinators than can
be engaged. One may also engage the CSIRT in one's country. Please reach
out to vulcoord(at)africacert.org if you want further assistance. Thank
you. Regards.
-Jean-Robert
On 10/17/17 12:12 PM, Loganaden Velvindron wrote:
> On Tue, Oct 17, 2017 at 7:03 PM, Jean-Robert Hountomey
> <hrobert at africacert.org> wrote:
>> Huawei still says that they are investigating : http://www.huawei.com/en/psirt/security-notices/huawei-sn-20171006-01-dnsmasq-en
>>
>> I think it is worth reaching out to their PSIRT Team and try to get an answer, fix plan from them:
>> http://www.huawei.com/en/psirt/report-vulnerabilities
>>
> Thank you JR,
>
> Huawei replied back 4 days ago. They acknowledged the issue and are
> discussing with their production line regarding dnsmasq and also
> running the process as root. dnsmasq supports running as an
> unprivileged user.
>
> However, they haven't given an ETA regarding firmware update
> availability, and this is why I sent the email on afnog to ask large
> huawei customers in the region to request for firmware updates.
>
> I also sent a query regarding source code build for the firmware
> (model Huawei HG8245H), as the firmware contains GPL components. Those
> are not available on the website they referred me to
> (http://consumer.huawei.com/en/opensource/).
>
> Interestingly, one of their competitors (Zyxel) already has a timeline
> for firmware updates:
> https://www.zyxel.com/support/ci_general_20171012_787965.shtml
More information about the afnog
mailing list