Chinese networking vendor Huawei launched an investigation into reports that at least two of its routers have major security vulnerabilities that make the devices subject to takeover through either a heap overflow or a stack overflow in the firmware of the company's AR18 and AR29 series routers.
The purported vulnerabilities were discussed Sunday at the Defcon conference in Las Vegas during a presentation
by Felix Lindner, the head of security firm Recurity Labs and his colleague, security consultant Gregor Kopf. According to both men, there are literally thousands of calls within the firmware to a function called "sprintf," which is known to have security challenges.
In response, Huawei issued a statement indicating that the company is in the process of verifying the claims. "Huawei adopts rigorous security strategies and policies to protect the network security of our customers, and abides by industry standards and best practices in security risk and incident management," read the statement. "Huawei has established a robust response system to address product security gaps and vulnerabilities, working with our customers to immediately develop contingency plans for all identified security risks, and to resolve any incidents in the shortest possible time."
[Related: The Biggest Data Breaches of 2012 (So Far)]
The statement also calls upon the technology industry to promptly report all product security risks so that the vendor's CERT team can address whatever security issues may emerge.
Lindner and Kopf also reported that they had an extremely difficult time reaching the Huawei security team to discuss their findings. They also said that, based on the relative quality of the Huawei code, it's quite likely that additional issues will be found in the near future.
Over the past few years, Huawei has emerged as a major competitor to Cisco. This news is likely to take some of the wind out of the sales of the Chinese networking vendor, according to several solution providers who focus on networking and security.
NEXT: A Question of Trust
"There's already plenty of mistrust because of the intellectual property issues that the industry has been having with China and Chinese companies," said Paul Cronin, senior vice president at Atrion, a Warwick, R.I.-based integrator. "When something like this happens, it makes it even harder to trust them. In addition, the company has close ties to the Chinese government, which raises questions to who has access to the data."
Meanwhile, Daniel Cheng, president of Ontario-based reseller AMA, said the timing of the report is very bad for Huawei.
"Everyone is watching Huawei right now as they try to gain acceptance in the market," he said. "They've been emerging as a strong contender in the core infrastructure segment because they're a lot cheaper. This will definitely have a negative impact because our customers' biggest worry regarding network equipment is not about reliability, it's about security."
A key question also is whether Cisco will capitalize on this latest development.
"Huawei has totally come after Cisco in Cisco's primary market," said one West Coast Cisco channel partner who asked to remain anonymous. "If Cisco misses out on the opportunity to aim its marketing machine in this direction, then they deserve to go down."
Huawei's AR18 router series router is specifically aimed at the SOHO market. The AR29 router series is part of a new product portfolio aimed at enterprise customers.
PUBLISHED AUG. 2, 2012