Huawei denies involvement in buggy Linux kernel patch proposal

Huawei says employee submitted code as part of a personal project, not on behalf of the company.

Huawei

Huawei denied on Monday having any official involvement in an insecure patch submitted to the Linux kernel project over the weekend; patch that introduced a "trivially exploitable" vulnerability.

The buggy patch was submitted to the official Linux kernel project via its mailing list on Sunday. Named HKSP (Huawei Kernel Self Protection), the patch allegedly introduced a series of security-hardening options to the Linux kernel.

Big tech companies that heavily use Linux in their data centers and online services, often submit patches to the Linux kernel. Companies like Google, Microsoft, Amazon, and others have been known to have contributed code.

Trivially exploitable vulnerability found in HKSP

On Sunday, the HKSP submission sparked interest in the Linux community as could signal Huawei's wish to possibly contribute to the official kernel. Due to this, the patch came under immediate scrutiny, including from the developers of Grsecurity, a project that provides its own set of security-hardening patches for the Linux kernel.

In a blog post published on the same day, the Grsecurity team said that it discovered that the HKSP patch was introducing a "trivially exploitable" vulnerability in the kernel code -- if the patch was to be approved.

Rumors and conspiracy theories almost immediately started online, accusing Huawei of trying to sneakily introduce vulnerabilities in the Linux kernel.

In today's complicated political landscape, such accusations are neither new or surprising. The Chinese company has been accused numerous times in the past years of including backdoors in its networking devices, accusations that the company has always denied or tried to explain in Twitter videos.

Huawei says employee acted on its own

However, in a statement published on Monday, Huawei said that the company has no official involvement in the HKSP project, despite the project using the Huawei name in its title and the project having been developed by one of its top security engineers.

The company said the project was created and submitted to the Linux kernel project by the engineer, without its formal backing, and the HKSP code was never actually used in any of the official Huawei products.

"It is only the demo code used by an individual for technical discussion with the open source community Openwall," Huawei said.

An update was also added to the HKSP project on Monday, with the Huawei employee adding a similar disclaimer.

The fact that a Huawei employee wrote code that contains security flaws is nothing new. A report by the UK government last year found that Huawei networking equipment was riddled with security flaws that often went years without receiving patches.

The reaction from the tech community in this particular case also shows the global anti-Huawei sentiment, which has been spurred in recent years by countless of security issues in the company's products, accusations of intellectual property theft, accusations of hiding secret backdoors in its firmware, and the West's fear of having the Chinese government spy on worldwide communications via the ever-popular Huawei equipment.