-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [CVE-2013-2612] Huawei E587 3G Mobile Hotspot Command Injection ________________________________________________________________________ Summary: Huawei E587 3G Mobile Hotspot, version 11.203.27, is prone to a command injection vulnerability in the Web UI. Successful exploitation allows unauthenticated attackers to execute arbitrary commands with root privileges. ________________________________________________________________________ Details: The HTTP endpoint "/api/device/time" in Web UI is vulnerable to shell command injection. This allows code execution with root privileges. ________________________________________________________________________ CVSS Version 2 Metrics: Access Vector: Network exploitable Access Complexity: Low Authentication: Not required to exploit Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete ________________________________________________________________________ Disclosure Timeline: 2013-03-18 Vendor notified 2013-03-18 CVE-2013-2612 assigned 2013-07-15 Public advisory ________________________________________________________________________ References: http://www.huawei.com/en/security/psirt/ ________________________________________________________________________ Frédéric Basse -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJR48qZAAoJENQ4kG3hg80AJMEH/Rdyx2zmDPzr2Ar5Nc+Fw1ih aiby28PhIKfXhAst2SrkIp6ogtDEj+PBrgbEy2YJlyKi01z1Uf2UGukxijlQTg7H 0zYivz55vleBrr9OD/A2pxo7sZZy7eswH5jia5abRUVXYYqEVWYp5KWvzbMPO3CY EgLYxE4uv00ojqHCl9QsD7oa+mR52Jur3QZ/IdCbJJZgmEKmwNJvJ8rb6RvTMcae +8dWhC8bhfL3UkTW5snYZ4K/euA84LmGvcfd1PXrMAX01xXDdnPJ/JxrzSPLfb1x 6WyZO6cZpgxQqvogemXKOy2MmnNkWlkK0P9OmmDpBQBI66WnyBUxXNFxEr/HFKo= =6yIl -----END PGP SIGNATURE-----
