Update 4/3/19, 12:30 p.m. PT:
Huawei sent us a statement vehemently reiterating that the flaw in its Matebook driver was not a "backdoor," or malicious code to enable spying on customers. In its statement, Huawei also seemed to suggest it is open to taking legal action against media over "misleading reports" about this issue:
“Huawei is concerned that some media misleading that Huawei's PC Manager's previous system vulnerabilities are ‘backdoors.’ Huawei firmly denied this. In its vulnerability research article, Microsoft also clearly stated that the vulnerability in Huawei PC Manager is a defect in software design, not a backdoor. In November 2018, Microsoft discovered that Huawei PC Manager was vulnerable and reported it to Huawei (vulnerability ID: CVE-2019-5241, CVE-2019-5242). Huawei analyzed and processed the problem in the first time, and in 2019 The patch was patched in January. Huawei will continue to maintain close communication and cooperation with industry partners to continuously improve product safety and protect users' interests from being infringed. For misleading reports from some media, Huawei will retain the right to protect its rights and interests through legal means.”
Original article 3/26/19, 8:26 a.m. PT:
Microsoft security researchers discovered a security flaw in Huawei’s device manager driver for the Matebook line of Windows 10 PCs that could undermine low-level kernel protections, not unlike the WannaCry backdoor the NSA developed and then was leaked to the public. The news comes at the heels of Huawei being accused by the U.S. government and other governments of being an espionage arm for the Chinese government. ZDNet first reported the news.
Insecure Huawei Driver
According to Microsoft’s researchers, the security issue was revealed by Windows Defender ATP’s kernel sensors, which allowed the team to trace a security vulnerability back to Huawei’s device management driver. While digging deeper into the issue, the Microsoft researchers realized that the local privilege escalation vulnerability was enabled by Huawei’s flawed and insecure architecture design for one of its driver.
Microsoft claimed that computer manufacturers such as Huawei can build this type of utilities to facilitate device management. However, these tools contain components that have access to the lowest levels of a system, which means that if they don’t have a secure design by default, attackers could use them as backdoors to compromise users’ systems.
Microsoft said that Huawei responded to the vulnerability disclosure with professionalism and that Huawei released a patch for the flaw in January, soon after Microsoft reported the vulnerability.
Responding to WannaCry
Starting in Windows 10, version 1809, Microsoft integrated some software-based sensors into the kernel so that users could be alerted when code injections are initiated by kernel code. These sensors were put there to prevent backdoors such as DOUBLEPULSAR, which the U.S. National Security Agency (NSA) created and then was leaked by the Shadow Brokers group into the wild for any malicious actor to use. The WannaCry ransomware made use of the DOUBLEPULSAR backdoor to inject its main payload into the user space.
Microsoft noted that its Windows Defender ATP security service for enterprise customers was able to detect this type of low-level system vulnerability effectively and then alert the system admins about the flaw so that they can take action. The company believes that the service will be able to detect other such vulnerabilities in the future and alert its customers before malicious parties exploit them to create harm.
