Original released date:February 22th, 2016
Description
Due to the usage of RSA-CRT in TLS in some ZXSEC US firewall products, private RSA secret key, X.509 certificate and login interface might be exposed under certain circumstances, which will lead to a man-in-the-middle attack and firewall equipment connection being decrypted as a consequence, the vulnerability also impacts some other services including HTTPs.
1. The affected device models include: US2640B, US2630B, US2620B;
2, An emergency fixing has been done on affected software version 5.0R4p8.
Acknowledgement:
Thanks to Florian Weimer for reporting the vulnerability to ZTE PSIRT.
Supporting team contacts:
1. ZTE GCSC hotline:
0755-26770800
800-830-1118
400-830-1118
2. Product forum at ZTE Support website.
Feedback Channel:
If you need to feedback or report security vulnerabilities related to ZTE products, or get ZTE product security incident response service and vulnerability information, please contact ZTE PSIRT: psirt@zte.com.cn, PGP key ID: FF095577.
|