Original release date: October 15, 2021 CVE ID CVE-2021-21743 CVE-2021-21744 CVE-2021-21745 CVE-2021-21746 CVE-2021-21747 CVE-2021-21748 CVE-2021-21749 CVSS 3.1 Base Score CVE-2021-21743: 6.3 Medium (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) CVE-2021-21744: 5.4 Medium (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L) CVE-2021-21745: 4.7 Medium (AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N) CVE-2021-21746: 6.1Medium (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) CVE-2021-21747: 6.1 Medium (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) CVE-2021-21748: 9.6 Critical (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) CVE-2021-21749: 8.3 High (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) Description CVE-2021-21743: ZTE MF971R product has a CRLF injection vulnerability. An attacker could exploit the vulnerability to modify the HTTP response header information through a specially crafted HTTP request. CVE-2021-21744: ZTE MF971R product has a configuration file control vulnerability. An attacker could use this vulnerability to modify the configuration parameters of the device, causing some security functions of the device to be disabled. CVE-2021-21745: ZTE MF971R product has a Referer authentication bypass vulnerability. Without CSRF verification, an attackercould use this vulnerability to perform illegal authorization operations by sending a request to the user to click. CVE-2021-21746, CVE-2021-21747: ZTE MF971R product has two reflective XSS vulnerabilities. An attacker could use the vulnerabilities to obtain cookie information. CVE-2021-21748, CVE-2021-21749: ZTE MF971R product has two stack-based buffer overflow vulnerabilities. An attacker could exploit the vulnerabilities to execute arbitrary code. Affected Products and FixesProduct Name | Affected Version | Resolved Version | MF971R | BD_ZTE_MF971RV1.0.0B05 | BD_ZTE_MF971RV1.0.0B06 | BD_PLKPLMF971R1V1.0.0B06 | BD_PLKPLMF971R1V1.0.0B07 | BD_MF971R2V1.0.0B03 | BD_MF971R2V1.0.0B04 | BD_ZTE_MF971RS2V1.0.0B03 | BD_ZTE_MF971RS2V1.0.0B04 | BD_ZTE_MF971RSV1.0.0B05 | BD_ZTE_MF971RSV1.0.0B06 | Acknowledgement ZTE thanks Marcin 'Icewall' Noga of Cisco Talos for paying attention to our products and cooperating with us to disclose vulnerability. Update Records October 15, 2021, initial release. Version Update Method A device that supports automatic update can receive a pop-up update message. You can upgrade the device accordingly. If no update message is received, contact your service provider to obtain the update information. Global Customer Support Center http://support.zte.com.cn/support/web/Contact.aspx?_langType=en ZTE PSIRT https://www.zte.com.cn/global/cybersecurity/ztepsirt.html
|