[ad_1]
Huawei gagged the infoec researchers for discussing critical vulnerabilities in the Chinese giant's Web systems, which could have been exploited to steal customer information and derail the manufacturer's operations.
A security research team from the Italian group Swascan said The register On Monday, in the last month, Huawei had been privately warned of flaws in the telecom kit manufacturer's websites and online services, claiming that the exploitable bugs had been fixed.
However, it is unclear which parts of the Chinese giant's web systems were in danger, what types of information could have been stolen or altered, which sections of the manufacturer's activities could be affected and whether the holes were exploited by intruders. Huawei refused to comment. It is forbidden for Swascan to discuss it further, most likely as part of an NDA under Huawei's vulnerability disclosure procedures.
"Swascan's experts have identified a number of critical issues in Huawei's infrastructure and web applications," said at least the Swascan team in a press release endorsed by Huawei on Sunday.
"The resulting vulnerability disclosure revealed some critically critical vulnerabilities that, if exploited by malicious attackers or cybercriminals, could have affected business continuity, data security, and security breaches. user information and the regular operation of their services. "
When we asked the founder of Swascan Pierguido Iezzi for more details, he told us: "Sorry, but we can not give more details and / or information about the vulnerabilities discovered." The press release was approved directly by Huawei. "
It is understood that hackers aware of these critical vulnerabilities could have exploited Internet programming blunders as vulnerable Web systems face the public.
Huawei has too many vulns in the firmware of the Chinese giant: bug hunters slam the code pisspoor
READ MORE
All that Huawei has allowed Swascan to reveal is the types found bugs: namely, writes in memory out of bounds, reads in memory out of bounds, and throws commands from the operating system. Critical details, including the number of holes found, the names of the corrected services, the CVE numbers for the defects, whether the bugs were exploited by villains, and when the patches were implemented, were all omitted from Swascan report processed by Huawei.
For what's worth it, out-of-bounds writes usually involve overflowing a buffer with more data than expected, which allows a hacker to control the flow of execution of the attacked program. However, there are other types of writing out of bounds, so this is not a very useful description. Out of bounds memory reads can be used to steal information or to gain knowledge of the internal components of the running software in order to neutralize defenses such as ASLR. Again, this is not very specific. The command injection does what is written on tin, although there are many ways to achieve it.
Huawei has no obligation to talk about its security breaches. This could have completely gagged Swascan: many companies are demanding the silence of those who disclose vulnerabilities privately. However, given that data and customer transactions were apparently at risk, Huawei's secrecy in this case will raise concerns. In the past, he had failed to implement the patches and had been criticized for his pathetic practices by software engineers. Perhaps he is afraid of not having repaired all his holes and therefore does not want people to have fun? Maybe he's embarrassed by his coding mistakes? But everyone has insects.
Of course, the bugs might not have been so bad. But why would Huawei stay silent?
This opacity arises while Huawei is under the microscope for the safety of his products and the supposedly close relations that the manufacturer has with officials in China – a country so authoritative that he has censored Winnie the Pooh. Huawei insists that he functions independently of his masters of the middle realm.
The US government has publicly vowed to no longer use Huawei products, citing espionage problems. networks.
Washington was recently given hope to lift the ban, but government officials said they were not considering doing so at the moment. ®
Sponsored:
Balance consumption and control of companies
[ad_2]
Source link