Multiple Vulnerabilities in Some ZTE CPE Terminal Products

Original release date: 14 August 14 2018

Update date: 29 January 2019

CVE ID

CVE-2018-7359

CVE-2018-7360

CVE-2018-7361

CVE-2018-7362

CVE-2018-7363

CVSS 3.0 Base Score

CVE-2018-7359: 9.0 Critical (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

CVE-2018-7360: 9.6 Critical (AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

CVE-2018-7361: 6.5 Medium (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVE-2018-7362: 7.5 High (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVE-2018-7363: 4.3 Medium (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Description

CVE-2018-7359:

Some ZTE CPE terminal products ZXA10 F668 V1.0, ZXA10 F620 V2.0, ZXHN F660 V2.0, ZXHN F660 V2.1, ZXHN F660 V2.30.20, ZXHN F660 V2.3.1, ZXHN F670 V1.0 and ZXV10 H108L V1.0 have a heap-based buffer overflow vulnerability, which may allow an attacker to execute arbitrary code.

CVE-2018-7360:

ZTE CPE terminal product ZXHN F670 V1.0 has an information exposure vulnerability, which may allow an unauthenticated attacker to get the GPON SN information via appviahttp service.

CVE-2018-7361:

ZTE CPE terminal product ZXHN F670 V1.0 has a null pointer dereference vulnerability, which may allows an attacker to cause a denial of service to appviahttp service.

CVE-2018-7362:

Some ZTE CPE terminal products ZXA10 F668 V1.0, ZXA10 F620 V2.0, ZXHN F660 V2.0, ZXHN F660 V2.1, ZXHN F660 V2.30.20, ZXHN F660 V2.3.1, ZXHN F670 V1.0 and ZXV10 H108L V1.0 have an improper access control vulnerability, which may allows an unauthorized user to perform unauthorized operations on the router.

CVE-2018-7363:

ZTE CPE terminal product ZXHN F670 V1.0 has an improper authorization vulnerability. Since appviahttp service has no authorization delay, an attacker can be allowed to brute force account credentials.

Affected Products and Fixes

As the following affected products were end of service, ZTE recommends you to choose the latest versions of the substitute products.

Credit

Security researcher Maxim Goryachy at Positive Technologies submitted four vulnerabilities of some CPE terminal products to ZTE PSIRT, which included heap-based buffer overflow, information exposure, null pointer dereference and improper authorization.

Security researcher Alexander Shvetsov, Egor Dimitrenko and Maxim Goryachy at Positive Technologies also submitted improper access control vulnerability of some CPE terminal products to ZTE PSIRT.

ZTE would like to thank Alexander Shvetsov, Egor Dimitrenko and Maxim Goryachy for the work they have done to coordinate with us in vulnerability disclosure.

References

http://support.zte.com.cn/support/news/NewsDetail.aspx?newsId=1003458

http://support.zte.com.cn/support/news/NewsDetail.aspx?newsId=1003453

http://support.zte.com.cn/support/news/NewsDetail.aspx?newsId=1006597

http://support.zte.com.cn/support/news/NewsDetail.aspx?newsId=1006599

http://support.zte.com.cn/support/news/NewsDetail.aspx?newsId=1007522

http://support.zte.com.cn/support/news/NewsDetail.aspx?newsId=1006847

Update Records

14 August 2018, initial.

2 November 2018, Description, Affected Products and Fixes updated.

14 November 2018, Description, Affected Products and Fixes updated.

19 November 2018, CVE ID and CVSS 3.0 Base Score updated.

29 January 2019, Affected Products and Fixes updated.

Supporting team contacts

1.  ZTE GCSC hotline:

0755-26770800

800-830-1118

400-830-1118

2.  Product forum at ZTE Support website.

ZTE PSIRT

If you need to feedback or report security vulnerabilities related to ZTE products, or get ZTE product security incident response service and vulnerability information, please contact ZTE PSIRT: psirt@zte.com.cn, PGP key ID: FF095577.