Microsoft has discovered a high-severity flaw in Huawei software for Windows PCs. Though use of its Windows Defender ATP software, it discovered an escalation flaw that could let low privilege attackers inject their own code or bypass driver signature enforcement.
As a result, up to date users shouldn’t be at any serious risk. However, some will be naturally angry that the company introduced a security hole with its software. The purpose of PCManager is to aid in driver updates, but it seems the implementation was far from ideal.
“Attaching a kernel debugger and setting a breakpoint on the memcpy_s in charge of copying the parameters from kernel to user-mode revealed the created process: one of Huawei’s installed services, MateBookService.exe, invoked with ‘/startup’ in its command line,” explained Microsoft.
“Why would a valid service be started that way? Inspecting MateBookService.exe!main revealed a ‘startup mode’ that revived the service if it’s stopped – some sort of watchdog mechanism meant to keep the Huawei PC Manager main service running.”
It’s this process that could give attackers an in, as the only form of verification was a file path check on a whitelist. With a modified MatebookBookService.exe, an attacker could introduce their own watched executable with full permissions.
The flaw doesn’t do wonders for Huawei’s image after the US government warned several countries to avoid the use of its device on military bases. The concerns followed allegations of compromised Chinese manufactured motherboards from Supermicro that made their way to major tech companies.