author photo
By Bruce Sussman
Fri | Mar 29, 2019 | 12:24 PM PDT

It's only been a few weeks since we learned about 8 Steps Huawei Took to Trick T-Mobile and Steal IP.

And it's been slightly longer since we covered the latest in a series of Huawei spying arrests and the way countries around the West have been warning about Huawei's security threat.

So after all this, are we to believe that a recent security vulnerability in a Huawei driver (that was discovered by Microsoft) is simply an accident?

That's a good question, indeed, when you look at the code injection and privilege escalation possibilities in this case.

Microsoft detailed the vulnerabilities and what it would allow an "attacker" to do. Here are three key paragraphs from Microsoft's research:

The attacker-controlled process could abuse this capability to talk with the device to register a watched executable of its own choice. Given the fact that a parent process has full permissions over its children, even a code with low privileges might spawn an infected MateBookService.exe and inject code into it.

Once we had a working POC demonstrating the elevation of privilege from a low-integrity attacker-controlled process, we responsibly reported the bug to Huawei through the Microsoft Security Vulnerability Research (MSVR) program. The vulnerability was assigned CVE-2019-5241. Meanwhile, we kept our customers safe by building a detection mechanism that would raise an alert for any successful privilege escalation exploiting the HwOs2Ec10x64.sys watchdog vulnerability as we described.

Having been able to freely invoke IOCTL handlers of the driver from user-mode, we looked for other capabilities that can be abused. We found one: the driver provided a capability to map any physical page into user-mode with RW permissions. Invoking this handler allowed a code running with low privileges to read-write beyond the process boundaries—to other processes or even to kernel space. This, of course, means a full machine compromise.

Interestingly, Microsoft did not claim this was a Huawei attempt to purposefully install a security vulnerability for Chinese use. Instead, it said this:

"The two vulnerabilities we discovered in a driver prove the importance of designing software and products with security in mind. Security boundaries must be honored. Attack surface should be minimized as much as possible."

Doesn't it seem like a global enterprise like Huawei would already know this?

RELATED: Watch the video for Russian versus Chinese cyber strategies:

Comments