Two Vulnerabilities in ZTE ZXHN F670 Product

Original release date: 1 February 2019

 

CVE IDs 

CVE-2019-3417

CVE-2019-3418

 

CVSS 3.0 Base Score

CVE-2019-3417:8.1 High (AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N)

CVE-2019-3418:5.7 Medium (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

 

Description

CVE-2019-3417:

All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by command injection vulnerability. Due to insufficient parameter validation check, an authorized user can exploit this vulnerability to take control of user router system.

CVE-2019-3418:

All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by cross-site scripting vulnerability (XSS). Due to incomplete input validation, an authorized user can exploit this vulnerability to execute malicious scripts.

 

Affected Products and Fixes

Product Name

Affected Version

Resolved Version

ZXHN F670

All versions up to V1.1.10P3T18

V1.1.10P3T22

 

Credit

Security researcher Egor Dimitrenko and Alexandr Shvetsov at Positive Technologies submitted  command injection vulnerability of ZXHN F670 product to ZTE PSIRT.

Security researcher Egor Dimitrenko, Alexandr Shvetsov and Maxim Kostikov at Positive Technologies submitted XSS vulnerabilities of ZXHN F670 product to ZTE PSIRT.

ZTE would like to thank Egor Dimitrenko, Alexandr Shvetsov and Maxim Kostikov for the work they have done to coordinate with us in vulnerability disclosure.

 

Update Records

1 February 2019, initial.

7 August 2019The originally assigned CVE-ID(CVE-2018-7367、CVE-2018-7368) was not published, so the new CVE-ID was reassigned.

 

Supporting team contacts

1.  ZTE GCSC hotline:

0755-26770800

800-830-1118

400-830-1118

2.  Product forum at ZTE Support website.

 

ZTE PSIRT

If you need to feedback or report security vulnerabilities related to ZTE products, or get ZTE product security incident response service and vulnerability information, please contact ZTE PSIRT: psirt@zte.com.cn, PGP key ID: FF095577.

[Close]