|
Original release date: 20 February 2019
Statement
Security researcher Takeshi reported a command injection vulnerability of MF910 and MF65+ products, and a authentication bypass vulnerability of MF910 product to ZTE PSIRT in February 2019.
Through the analysis of related product team, the command injection vulnerability confirmed exist in MF910 and MF65+ products, due to insufficient parameter validation check, an attacker could exploit this vulnerability to execute arbitrary commands. The authentication bypass vulnerability confirmed exist in MF910 product, an attacker could exploit this vulnerability to extract device authentication information before authentication.
MF910 and MF65+ were end of service on September 27, 2017, and the vulnerabilities were fixed in the substitute products MF920 and MF65M2. ZTE recommends you to choose substitute products for the purpose of better security.
Credit
Thanks to security researcher Takeshi for reporting the security vulnerabilities to ZTE PSIRT.
Update Records
20 February 2019, initial.
Supporting team contacts
1. ZTE GCSC hotline:
0755-26770800
800-830-1118
400-830-1118
2. Product forum at ZTE Support website.
ZTE PSIRT
If you need to feedback or report security vulnerabilities related to ZTE products, or get ZTE product security incident response service and vulnerability information, please contact ZTE PSIRT: psirt@zte.com.cn, PGP key ID: FF095577.
|