Critical flaws found in four Cisco SMB router ranges – for the second time this year Cisco has revealed four of its small business router ranges have critical flaws – for the second time in 2022 alone. A Wednesday advisory warns owners of the RV160, RV260, RV340, and RV345 Series Routers that the vulnerabilities could allow "an unauthenticated, remote attacker to execute arbitrary code or cause a denial of …
I had similar thought but in different direction: one feels that Cisco's software must be full of bugs, Juniper as well, Aruba at least half full (call me an optimist here), even Fortinet get their laundry publicly wasched every now and then. But so far I haven't heard about one public announcement of a vulnerability in Huawei's infrastructure gear (consumer gear and endpoint appliances do get mentioned from time to time).
I'm curious why. Do they disclose their vulnerabilities in a similar manner as Cisto et al? If yes, why they don't get similar media coverage? If not, why? Is it a cultural difference or a language barrier?
I'd hazard a guess that Huawei gear gets updates and patches as well. There are lots and lots of Huawei boxes installed throughout Europe. Is there a Huawei admin here on this forum, who could chip in with a real world experience?
Not a Huawei admin, but looking at their site it appears they operate a PSIRT (Product Security Incident Response Team) and disclose bugs/security issues in much the same way as the other vendors (admins can subscribe via RSS or email normally to get updates via the medium of their choice).
Used to review this kind of thing weekly in a previous role (security-focused) where we'd be checking all of our known infrastructure to see if any exploits had been announced against the various hardware/software we ran internally.
They got roasted for rubbish software, but not any real "back doors":
https://www.theregister.com/2019/03/28/hcsec_huawei_oversight_board_savaging_annual_report/
You could argue you don't need back doors with many broken windows and loose hinges, of course. But in Huawei's defence their code was audited for this where as the others like Cisco, etc, have not, and the public evidence of so many critical CVE suggest they can't be a whole lot better.
CVE-2022-20842 "due to insufficient validation of user-supplied input"
CVE-2022-20827 "due to insufficient input validation"
CVE-2022-20841 "due to insufficient validation of user-supplied input"
Never trust input data (even if you've supplied it yourself). Allow only what is expected and required.
Indeed. When I was regularly involved with Perl CGI scripts 20+ years ago, it was an absolute mantra to never trust user input, always sanitise it.
I just checked, CGI.pm is no longer part of Perl core. It doesn't matter, here is a line from the module: "... if you do not sanitise user input as it is possible to inject other param keys and values into your code."
Yet what do I see on the internet today, for tutorials about building your own web server + database CRUD with Go/Rust/etc? So many times, I see boiler plate code to accept what a user submits in a form and shove it as it is into a database. At least that is what they are hoping for, as there is no sanitation. These code monkey web sites are not using some modules which automatically do the sanitising, they are 100% exploitable junk put out there as examples. They will work fine until the first knobhead with a marginal clue about exploits comes along.
"Indeed. When I was regularly involved with Perl CGI scripts 20+ years ago, it was an absolute mantra to never trust user input, always sanitise it."
Ah, I wish I could get this through to the programmer of our industry-specific POP software, Bob. After 20 years of dealing with a software package that fails the simple task of validating ANY input (do a typo, get a crash), I have been left to wonder if he learned to program via a £10 mail order course.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
