Configuration Error Vulnerability in ZTE ZXUN-ePDG

Original Release Date: May 10 2024

 

 

Vulnerability ID

CVE ID: CVE-2024-22064           CNNVD ID: CNNVD-2024-07840129  

 

CVSS 3.1 Base Score

8.3 High (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L)

 

Description

ZTE ZXUN-ePDG product, which serves as the network node of the VoWifi system, under by default configuration, uses a set of non-unique cryptographic keys during establishing a secure connection(IKE) with the mobile devices connecting over the internet . If the set of keys are leaked or cracked, the user session informations using the keys may be leaked.

 

Affected Products and Fixes

Product Name

Affected Version

Resolved Version

ZXUN-ePDG

V5.20.19 and earlier

V5.20.20

 

 

Acknowledgement

ZTE thanks the researchers at University of Vienna: Gabriel K. Gegenhuber, Florian Holzbauer and Edgar Weippl, the researcher at SBA Research Center of Vienna: Philipp Frenzel, and the researcher at CISPA Helmholtz Center for Information Security: Adrian Dabrowski, who discovered and reported this vulnerability to ZTE through the GSMA CVD Program. ZTE also thanks the GSMA CVD Program for their coordination and communication regarding this vulnerability.

 

Update Records

May 10 2024, initial.

 

 Version Update Method

ZTE has notified its affected global customers and guided them to fix it. If you have more questions, please contact ZTE Global Customer Center.

 

Global Customer Support Center

http://support.zte.com.cn/support/web/Contact.aspx?_langType=en

 

ZTE PSIRT

https://www.zte.com.cn/global/cybersecurity/ztepsirt.html