|
Initial Release Date: August 24, 2023 Vulnerability ID Vulnerability 1: CVE ID: CVE-2023-25642 CNNVD-ID: CNNVD-2023-07593891 Vulnerability 2: CVE ID: CVE-2023-25643 CNNVD-ID: CNNVD-2023-33629346 CVSS 3.1 Base Score Vulnerability 1: 5.9 Medium (AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L) Vulnerability 2: 8.4 High (AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) Description Vulnerability 1: There is a buffer overflow vulnerability in some ZTE mobile internet producsts. Due to insufficient validation of tcp port parameter, an authenticated attacker could use the vulnerability to perform a denial of service attack. Vulnerability 2: There is a command injection vulnerability in some ZTE mobile internet products. Due to insufficient input validation of multiple network parameters, an authenticated attacker could use the vulnerability to execute arbitrary commands. Affected Products and Fixes Product Name | Affected Version | Resolved Version | MC801A | MC801A_Elisa3_B19 | MC801A_Elisa3_B22 | MC801A1 | MC801A1_Elisa1_B04 | MC801A1_Elisa1_B06 |
Acknowledgement
ZTE thanks Baptiste MOINE (Creased) and Romain KRAFT (Areizen) for paying attention to our products and cooperating with us to disclose vulnerabilites. Update Records August 24, 2023, initial. Version Update Method A device that supports automatic update can receive a pop-up update message. You can upgrade the device accordingly. If no update message is received, contact your service provider to obtain the update information. Global Customer Support Center http://support.zte.com.cn/support/web/Contact.aspx?_langType=en ZTE PSIRT https://www.zte.com.cn/global/cybersecurity/ztepsirt.html
|