Remote Code Execution Vulnerability in NR8000 Series Products

Original release date:  15 September  2017

Update date:  27 September 2017

 

CVE ID

CVE-2017-10932

 

CVSS 3.0 Base Score

9.8 Critical (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

 

Affected Product

NR8000 Series

 

Affected Versions

All versions prior to V12.17.20

 

Description

All versions prior to V12.17.20 of the ZTE Microwave NR8000 series products - NR8120, NR8120A, NR8120, NR8150, NR8250, NR8000 TR and NR8950 are the applications of C/S architecture using the Java RMI service in which the servers use the Apache Commons Collections (ACC) library that may result in Java deserialization vulnerabilities. An unauthenticated remote attacker can exploit the vulnerabilities by sending a crafted RMI request to execute arbitrary code on the target host.

 

Workaround

Ensure that all exposed ports used by the server, including the RMI registry port, are firewalled from any untrusted IP address.

 

Resolution

Users may upgrade or change to new versions after V12.17.20.

 

Credit

Thanks to Zhang Jinxin for reporting the security issues to ZTE PSIRT.

 

References

CVE-2015-6420 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6420)

CVE-2015-4852 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4852)

CVE-2015-7450 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7450)

CVE-2015-8103 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8103)

 

Update Records

15 September 2017, initial.

27 September 2017, CVE ID assigned.

 

ZTE PSIRT

If you need to feedback or report security vulnerabilities related to ZTE products, or get ZTE product security incident response service and vulnerability information, please contact ZTE PSIRT: psirt@zte.com.cn, PGP key ID:FF095577.

[Close]