Security researchers have discovered a code execution vulnerability in one of Huawei’s LTE USB dongles.

 

Part of Huawei’s mobile broadband dongle range, the Huawei LTE USB Stick E3372 can be plugged into a computer to enable users to browse the Internet using a LTE network.

 

However cybersecurity company Trustwave discovered a rather easy to exploit a vulnerability in the device. In a blog post, Trustwave’s Security Research Manager, Martin Rakhmanov explains the vulnerability exists because one of the installed files is missing appropriate access control settings. 

 

“All a malicious user needs to do is to replace the file with their own desired code and wait for a legitimate user to start using the cellular data service via Huawei device,” writes Rakhmanov.

Knocking on the wrong door

According to Trustwave, this affected file is automatically executed when a user plugs the dongle. It’s designed to fire up the default web browser and point it to the dongle’s device management interface.

 

However, Huawei hasn’t set proper permissions on the file. This enables any authenticated user on the computer to overwrite the file.

Rakhmanov explains that all a malicious user needs to do is to replace the contents of the file with their own malicious code. Now when a user plugs in the dongle, it’ll automatically execute the malicious code.

 

Trustwave told The Register that it’s been trying to bring the issue to Huawei’s attention for the past several months without making any headway. It turns out that they’ve been reporting the issue to the wrong address. 

 

In any case, once it was informed through the proper channels, Huawei quickly released a patch to fix the permissions on the file. 

 

Via The Register