(LiveHacking.Com) – Security researcher, Kurt Grutzmacher, has been researching security vulnerabilities caused by buffer overflows on Huawei and H3C routers and was planning to present his findings on Saturday at the ToorCon 14 security show in San Diego. However just before the planned disclosure, Kurt was contacted by the HP Software Security Response Team asking him not to make the disclosure as the vulnerabilities are ‘too big’ for HP, H3C or Huawei to be ready. H3C is a wholly owned subsidiary of Hewlett-Packard and is based in Hangzhou, China.
Kurt has been researching the routers since June 2012 and in August he submitted his finding to US-CERT asking them to coordinate with HP/H3C. US-CERT’s standard disclosure policy is 45 days after vendor notification. After 30 days Kurt had not received a reply from US-CERT or from HP. At this point he contacted them again stating his intention to disclose the problems as the ToorCon.
Then just a few days before the conference, Kurt was contacted by email and voicemail by HP kindly asking him to not disclose the vulnerabilities. Kurt decided to agree with HP. However there Kurt is confident that the disclosure will be made within the next few months.
According to Kurt all users of H3C or Huawei equipment are at risk.
“Can others figure out what I know? Certainly they could. Am I going to tell anyone or give hints? No, I cannot. There is this bag with an angry cat in it that wants to come out. Or it may not be a cat. It’s Schrödinger’s Disclosure! You just won’t know until it’s opened.”
This latest concerns over the vulnerabilities in Huawei routers come after two separate U.S government reports condemned the safety of Huawei equipment. The first report was from the U.S. House of Representatives Intelligence Committee said that U.S. telecommunications operators should not buy equipment from Huawei. The second was a White House-ordered review of the security risks posed by Chinese telecom suppliers, it concluded that Huawei equipment had too many security vulnerabilities.