Huawei has released security updates for some enterprise and broadcast products to address a cryptography issue that was discovered in late 2017.
The vulnerability, tracked as CVE-2017-17174, is related to the implementation of an insecure encryption algorithm and could be exploited to power MiTM attack to decrypt a session key and recover the content of the entire session.
“There is a weak algorithm vulnerability in some Huawei products. A remote, unauthenticated attacker may capture traffic between clients and the affected products.” reads the security advisory published by Huawei.
“Due to the use of insecure encryption algorithm, the attacker may decrypt the session key by some cryptanalytic operations and the traffic between the server and the client. Successful exploit may cause information leak.”
The following Huawei products using RSA encryption in TLS are potentially vulnerable:
Huawei rated the vulnerability as a 5.3 (medium) because it is not easy to exploit, the company has released software updates to address the flaw for all of its solution except for the unified communications software SoftCo that has been deprecated.
Every flaw discovered in products of Chinese and Russia firm trigger the alarm of governments that are already banning their solution from critical infrastructure and government offices.
In May, the Pentagon ordered retail outlets on US military bases to stop selling Huawei and ZTE products due to unacceptable security risk they pose.
(Security Affairs – CVE-2017-17174, encryption)