HUAWEI Undocumented 'back door' (hidden credentials) in several HUAWEI CPE Routers.

Found via honeypots | 2/3/2016

Vulnerability details:

Using trivial reversing of firmware, it possible to retrieve a undocumented backdoor (username/password) from
below mentioned 3G/4G Wimax Cpe Router models. This credential gives - in most cases - full access to the router.

Each firmware are 'service provider centric', and I has even discovered that some providers allows control
with the device with a blank password from a non-rfc 1918 IP address (aka. inside the provider network).

Based on public available firmware, it is found that the following models are affected; (Other HUAWEI models may also be affected.)
 

  • HUAWEI BM63x (e.g. BM 632w/ BM635w)
  • HUAWEI BM652

Based on the firmware investigated, and general deployment of above models, this vulnerability
most likely affects one (or more) service provider(s) in the following countries;

Indonesia          (Confirmed, based on available firmware)
Iran                       (Confirmed, based on available firmware)
Madagascar   (Confirmed, based on available firmware)
Nigeria              (Confirmed, based on available firmware)
Ukraine             (Confirmed, based on available firmware)

It is most likely that other countries are affected as well, as above models are used, at least, in these countries: 
Bahrain,Cote d'Ivoire,Libya, Philippines


Workaround/Fix.
Above products has reached "End-of-life" and are not supported by the vendor.
Devices should be decommissioned and replaced with new supported devices.

Communication: This was reported to CERT.org , and the following reference was given: VU#226671

Time line;

Before starting researching, some credentials was found in a SCADA honeypot.
09. Feb 2016; several different hardcoded credentials found in various firmware versions, multiple device models affected.
09. Feb Initial email, with technical details send to Huawei PSIRT (psirt@huawei.com)
10. Feb Confirmation of email received from Huawei PSIRT asking not to disclose issue before they had time to investigate (possible delay due to Chinas new year)
14. Feb Huawei PSIRT writes back and informs that the credential are not undocumented, they are just in a undisclosed documentation strictly for vendors, hence they are closing the case.
14. Feb Notified CERT.org of issue, and advised I was in dialogue with Huawei PSIRT.
14. Feb Wrote Huawei PSIRT with further technical information for additional findings and asked if I could be allowed to see the documentation.
15. Feb Cert.org assigns vulnerabilities to VU#226671
24. Feb wrote a kind reminder to Huawei PSIRT asking for status.
25. Feb Huawei PSIRT advises that I am not allowed to see the documentation (only for vendors) and technical staff investigates other findings.
29. Feb Huawei PSIRT advise that items are "not to worry". I replies and thanks for the assistance, and that I will make a blog entry.
As alway in my findings, I will encourage people to change devices from "End-Of-Life" to newer supported devices.
02. Mar Blog entry published.