- SMB Spotlight
The US Computer Emergency Response Team (CERT) has issued a warning alerting businesses of a flaw in Huawei's popular E355 wireless broadband modem that could be leveraged by hackers to mount cross-site scripting attacks.
The CERT team issued the warning on Monday, revealing that the flaw could leave people connecting to the internet or a cellular network using the modem vulnerable to cyber strikes.
"Huawei E355 wireless broadband modems include a web interface for administration and additional services. The web interface allows users to receive SMS messages using the connected cellular network," explained the advisory.
Huawei released an advisory on the issue in June and confirmed it is working on a fix. “Huawei has analysed and investigated the vulnerability and informed involved customers. Huawei has prepared a fixing plan and started the development and test of fixed versions. Huawei will update the Security Notice if any progress is made," read the advisory.
FireEye director of technology strategy Jason Steer told V3 hackers could use the flaw for a variety of purposes. "Is it bad? Yes, XSS is a high-severity software flaw, because of its prevalence and its ability be used by attackers to trick users into giving away sensitive information such as session cookies," he said.
It is currently unclear if hackers are actively exploiting the flaw but Steer said he would be surprised if it was not.
"I think it's likely hackers are targeting it. I could think of a number of scenarios where having access to the hotspot configuration might be helpful, especially if I wanted to create public hotspot and start to eavesdrop on other users looking for free WiFi to go online," he said.
The CERT team recommended people using the Huawei model temporarily disable scripting in their web browser to avoid falling victim to attack while Huawei works on its fix. "We are currently unaware of a practical solution to this problem. In the meantime, please consider disabling scripting in your web browser," it said.
ESET senior research fellow David Harley mirrored CERT's sentiment and told V3 that, if left unchecked, the flaw definitely has the potential to cause harm.
"If a malicious script was reflected back to the victim's browser and executed, it might be serious: XSS attacks have wide scope in principle. If I was using the vulnerable modem, I'd certainly make sure I had scripting disabled or use an add-on that whitelists scripts," he said.
Huawei is one of many telecoms technology providers to have flaws found in its products in recent weeks. Cisco patched a security flaw affecting multiple versions of its Small Office/Home Office (SoHo) routers on Friday.