Video encoders using Huawei chips have backdoors and bad bugs – and Chinese giant says it's not to blame

[steven36]

 Telecom kit maker points finger in the general direction of Middle Kingdom's complicated supply chain

 

 

 

Hardware video encoders from multiple suppliers contain several critical security bugs that allow a remote unauthenticated miscreant to run arbitrary code on the equipment.

 

In a disclosure published this week, Alexei Kojenov, lead product security engineer at Salesforce, outlined a series of flaws affecting IPTV/H.264/H.265 video encoders powered by the hi3520d chipset from Huawei's HiSilicon subsidiary. The security holes are present in software, whose developer is unknown, that runs on top of a Linux stack provided by HiSilicon for products using its system-on-chips.

 

"The vulnerabilities exist in the application software running on these devices," said Kojenov in his post. "All vulnerabilities are exploitable remotely and can lead to sensitive information exposure, denial of service, and remote code execution resulting in full takeover of the device."

 

The critical flaws include: an administrative interface with a backdoor password (CVE-2020-24215); root access via telnet (CVE-2020-24218); and unauthenticated file upload (CVE-2020-24217), which enables malicious code execution and command injection. All of these can be exploited over the network or internet to hijack vulnerable equipment. Kojenov also flagged vulnerabilities of high and medium severity: a buffer overflow (CVE-2020-24214) that stops the thing from working properly, and a way to access RTSP video streams without authorization (CVE-2020-24216).

 

Huawei insists the vulnerabilities were not introduced by its HiSilicon chips nor the SDK code it provides to manufacturers that use its components. That would mean someone else provided the makers of these video encoder devices application software riddled with holes, and this code was shipped with the equipment. The products just all happen to use the the hi3520d chipset.

 

In a statement emailed to The Register and posted online, a Huawei spokesperson said, "Following the media reports about the suspected security issues (CVE-2020-24214, CVE-2020-24215, CVE-2020-24216, CVE-2020-24217, CVE-2020-24218, and CVE-2020-24219) in HiSilicon video surveillance chips on September 16, 2020, Huawei has launched an immediate investigation. After technical analysis, it was confirmed that none of the vulnerabilities were introduced by HiSilicon chips and SDK packages. Huawei is in favor of coordinated vulnerability disclosure by all organizations and individuals in the security research ecosystem to reduce the impact on stakeholders."

 

Huawei said all the vulnerabilities mentioned in the report reside in the application layer provided by the equipment vendors. "These vulnerabilities are not introduced by the chips and SDKs provided by HiSilicon," the Middle Kingdom giant said.

 

CMU's CERT Coordination Center said the vulnerabilities exist in various network services running on various manufacturers' devices that use HiSilicon's parts, and are the result of software bugs, such as insufficient input validation and hardcoded credentials.

 

The encoders are used to stream video over IP networks, converting raw video signals to digital video using compression standards like H.264 or H.265 for distribution through a service like YouTube, or to be viewed directly in a web or app-based video player as an RTSP or HLS stream.

 

Kojenov says he analyzed video encoders from URayTech, J-Tech Digital, and Pro Video Instruments, and found their devices to be vulnerable to some or all of the reported flaws. He also identified several other vendors offering products based on the same system-on-chip, and he believes they may share some or all of the flaws: this includes equipment from Network Technologies Incorporated, Oupree, MINE Technology. Blankom, ISEEVY, Orivison, WorldKast/procoder, and Digicast.

 

Kojenov said he notified various vendors but only one, Pro Video Instruments, took the notice seriously and responded. Most vendors, he said, have not yet issued a fix for these flaws. And in the absence of a patch, he advises that network admins make sure affected devices are behind a firewall with no externally exposed ports and with rules to block untrusted access.

 

He was able to find several hundred potentially vulnerable devices using the security-oriented search service shodan.io, and he expects these publicly exposed encoders are all exploitable over the internet.

 

"While most vulnerabilities seem unintentional (i.e. coding mistakes), one of them stands out," said Kojenov. "The hardcoded password is a deliberate backdoor."

 

In a message to The Register, he said all the vulnerabilities except for the telnet flaw resided in a single executable program that's part of the software on these devices. "I'm not sure the vendors who build and sell these devices have much control over it," he said. "I don't know if they have the source code for the program or it is distributed in binary form."

 

Taking Huawei’s representations at face value, we’re left to wonder where in the complicated manufacturing supply chain things went wrong. As Kojenov suggested in his report, most of the flaws appear to be unintentional coding mistakes. The fact that it’s not clear where these problems originated or who’s responsible should be at least as concerning as the specific risks posed by the bugs themselves.

 

Huawei maintains it wants to work toward better security.

 

"As an important part of the supply chain of video surveillance devices, HiSilicon is willing to collaborate with downstream equipment vendors and researchers through coordinated response to cyber security risks brought by the vulnerabilities mentioned in the report and protect the interests of end users," the tech goliath concluded.

 

 

Source

[B2gfserwe]

for more Infos see her https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/

Update 2020-09-17: Huawei issued a statement saying that none of the vulnerabilities have been introduced by HiSilicon chips and SDK packages.

He will update this article as more information comes in.

 

This article discloses critical vulnerabilities in IPTV/H.264/H.265 video encoders based on HiSilicon hi3520d hardware. The vulnerabilities exist in the application software running on these devices. All vulnerabilities are exploitable remotely and can lead to sensitive information exposure, denial of service, and remote code execution resulting in full takeover of the device. With multiple vendors affected, and no complete fixes at the time of the publication, these encoders should only be used on fully trusted networks behind firewalls. I hope that my detailed write-up serves as a guide for more security research in the IoT world.

• Summary
• Background
• Hardware
• Network recon
  • 23 - telnet
  • 80, 8086 - web application
  • 554, 8554 - RTSP
  • 1935 - RTMP
  • 5150 - serial to TCP
  • 9588 - another web server
• Firmware analysis
  • Content
  • Password file and telnet access
• Local recon
  • The base system
  • Processes
  • Ports
  • Dumping the file system
• Reverse engineering
  • Modifying the boot
  • Remote debugging
  • Decompiling
• Vulnerabilities and exploits
  • Backdoor password (CVE-2020-24215)
  • root access via telnet (CVE-2020-24218)
  • Arbitrary file disclosure via path traversal (CVE-2020-24219)
  • Unauthenticated file upload (CVE-2020-24217)
  • Arbitrary code execution by uploading malicious firmware
  • Arbitrary code execution via command injection
  • Buffer overflow: definite DoS and potential RCE (CVE-2020-24214)
  • Unauthorized video stream access via RTSP (CVE-2020-24216)
• Disclosure
  • Affected vendors
  • Coordinated disclosure
  • Remediation
• Conclusion
• Exploit demos
• Exploit scripts
• Links

 

US finds new Huawei to hurt China with new sanctions at top chip maker SMIC

Alleges silicon has military applications so puts more products on 'get a license before exporting' lists

 

 

The US government has told American companies that make semiconductor manufacturing kit that they must obtain a licence to export their products to China's largest chip maker, the Semiconductor Manufacturing International Corporation (SMIC).

The US Department of Commerce said American exports to SMIC pose an "unacceptable risk" of being used for "military end use", according to a copy of a letter seen by the Financial Times. The news was subsequently reported by several newswires that said they, too, had seen the document.

SMIC has worked for several US-based fabless silicon designers, including Qualcomm, Broadcom, and Texas Instruments, among others. Huawei is thought to be another client, and SMIC has also applied to continue supplying the controversial company.

Although the Department of Commerce directive is aimed at American businesses, it may extend to include foreign companies that use US technology, such as Japan's Tokyo Electron, which supplies chip-making kit such as etching machines and film deposition equipment to SMIC. Nikon and Canon have also promoted semiconductor exposure devices to Chinese clients.

The rules have the potential to derail China's push to become self-sufficient in semiconductors and reduce its dependence on US technology. Under the "Made in China 2025" strategy, the country aims to make 70 per cent of its semiconductors locally, up from less than 20 per cent now. SMIC, one of the country's "national champions", is considered the flagbearer of the plan.

The impact of the new rules depends on which SMIC suppliers Washington decides to target. In the worst-case scenario, the US could use the rules to cut off SMIC from US chip-making kit and software entirely. The Reg suspects that the US will not deprive American businesses of all trade, but will make it hard for SMIC to make advanced products that could help China's government or military.

SMIC's current mainstay chips are made on 55nm to 65nm processes, but it can also produce more advanced 14nm silicon. Analysts believe the company is two generations behind rival Taiwan Semiconductor Manufacturing Company, which produces chips using 5nm tech for the smartphone market.

In response to the directive, SMIC said it "has no relationship with the Chinese military, and does not manufacture for any military end user or end uses". The company said it had not received any formal notification of the sanctions.

 

https://www.theregister.com/2020/09/28/us_throws_new_sanctions_at/