The Microsoft Defender Advanced Threat Protection (ATP) service featured in Windows 10 version 1809 alerted researchers to an NSA-inspired backdoor vulnerability in Huawei laptops.
The PCManager software included in some Huawei’s Matebook systems allows unprivileged users to create processes with superuser privileges, according to a 25 March Microsoft security post.
Upon investigation, researchers found a driver containing components that run with ring-0 privileges in the kernel.
“We traced the anomalous behaviour to a device management driver developed by Huawei,” researchers said in the post. “Digging deeper, we found a lapse in the design that led to a vulnerability that could allow local privilege escalation.”
This type of vulnerability is similar to a technique used in the NSA’s DOUBLEPULSAR that was leaked by the Shadow Brokers. In 2017 hackers attacked scores of computers with malware inspired by the exploit following the NSA data leak.
Researchers who reported the vulnerability to Huawei said the company responded and cooperated quickly and professionally. A patch was released earlier this year on 19 January.
In an email to SC Media UK Oleg Kolesnikov VP of threat research and head of research labs at Securonix noted that whether deliberate or not, the flaws emphasised the need for betting testing: “While there currently is no direct evidence that the software security issues were intentionally added for Huawei’s driver code to be leveraged for a malicious backdoor, these vulnerabilities appear to align with the earlier National Cyber Security Centre, GCHQ etc (HCSEC) report regarding Huawei products and the lack of proper software security practices in the Huawei’s approach to software engineering likely significantly increasing the risk to the operators.
“Given the ongoing debate about Huawei and fear around backdoors, one of the key takeaways from this is that it can be very challenging to determine whether a software security issue present is a result of an intentional/backdoor vs. unintentional error, so it is critical not only to have the ability to perform an in-depth software and hardware security analysis related to the vulnerabilities, but also to ensure that the proper software development process and best practices are in place since software vulnerabilities often do not occur in isolation–where there is one, there is often much more to find.
“Specifically, process hollowing is a relatively well-known software security attack technique, so had Huawei developers followed the proper software security design, development, and testing processes when implementing the MateBookService and the corresponding driver software components IRP/IOCTL functionality, chances are that the software security issues reported could have been mitigate and/or addressed proactively.”
Last week, the European Union ignored recent calls from the US to ban Huawei products out of fear of Chinese cyber-espionage, as the EU rolled out its 5G security guidelines.