[CVE-2013-2612] Huawei E587 3G Mobile Hotspot Command Injection
________________________________________________________________________
Summary:
Huawei E587 3G Mobile Hotspot, version 11.203.27, is prone to a command
injection vulnerability in the Web UI.
Successful exploitation allows unauthenticated attackers to execute
arbitrary commands with root privileges.
________________________________________________________________________
Details:
The HTTP endpoint "/api/device/time" in Web UI is vulnerable to shell
command injection. This allows code execution with root privileges.
________________________________________________________________________
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Confidentiality Impact: Complete
Integrity Impact: Complete
Availability Impact: Complete
________________________________________________________________________
Disclosure Timeline:
2013-03-18 Vendor notified
2013-03-18 CVE-2013-2612 assigned
2013-07-15 Public advisory
________________________________________________________________________
References:
http://www.huawei.com/en/security/psirt/
________________________________________________________________________
Fracdacric Basse