Chinese networking vendor Huawei has launched an investigation into reports that at least two of its routers have major security vulnerabilities.
The flaws are reported to make the devices subject to takeover through either a heap overflow or a stack overflow in the firmware of the company's AR18 and AR29 series routers.
The purported vulnerabilities were discussed Sunday at the Defcon conference in Las Vegas during a presentation by Felix Lindner, the head of security firm Recurity Labs and his colleague, security consultant Gregor Kopf.
According to both men, there are literally thousands of calls within the firmware to a function called "sprintf," which is known to have security challenges.
In response, Huawei issued a statement indicating that the company is in the process of verifying the claims.
"Huawei adopts rigorous security strategies and policies to protect the network security of our customers, and abides by industry standards and best practices in security risk and incident management," read the statement.
"Huawei has established a robust response system to address product security gaps and vulnerabilities, working with our customers to immediately develop contingency plans for all identified security risks, and to resolve any incidents in the shortest possible time."
The statement also calls upon the technology industry to promptly report all product security risks so that the vendor's CERT team can address whatever security issues may emerge.
Lindner and Kopf said based on the relative quality of the Huawei code, it's likely that additional issues will be found in the near future.
Huawei's AR18 router series router is specifically aimed at the SOHO market. The AR29 router series is part of a new product portfolio aimed at enterprise customers.
Issue: 316 | July 2013
Access CRN's extensive online resources including; email bulletins, community discussions and unique online news.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can log on to the CRN website or start posting comments on articles.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain '@crn.com.au' to your white-listed senders.
