Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title ZTE ZXHN H108N R1A routers contain multiple vulnerabilities
Informations
Name VU#391604 First vendor Publication 2015-11-03
Vendor VU-CERT Last vendor Modification 2015-11-04
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#391604

ZTE ZXHN H108N R1A routers contain multiple vulnerabilities

Original Release date: 03 Nov 2015 | Last revised: 04 Nov 2015

Overview

ZTE ZXHN H108N R1A router, version ZTE.bhs.ZXHNH108NR1A.h_PE, and ZXV10 W300 router, version W300V1.0.0f_ER1_PE, contain multiple vulnerabilities.

Description

CWE-200: Information Exposure - CVE-2015-7248

Multiple information exposure vulnerabilities enable an attacker to obtain credentials and other sensitive details about the ZXHN H108N R1A.

  1. User names and password hashes can be viewed in the page source of http://<IP>/cgi-bin/webproc
  2. The configuration file of the device contains usernames, passwords, keys, and other values in plain text, which can be used by a user with lower privileges to gain admin account access. This issue also affects ZTE ZXV10 W300 models, version W300V1.0.0f_ER1_PE.

CWE-285: Improper Authorization - CVE-2015-7249

By default, only admin may authenticate directly with the web administration pages in the ZXHN H108N R1A. By manipulating parameters in client-side requests, an attacker may authenticate as another existing account, such as user or support, and may be able to perform actions otherwise not allowed. For instance, while authenticated as support, directly accessing http://<IP>/cgi-bin/webproc?getpage=html/index.html&var:menu=maintenance&var:page=accessctrl&var:subpage=accountpsd permits changing the password of user.

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - CVE-2015-7250

The webproc cgi module of the ZXHN H108N R1A accepts a getpage parameter which takes an unrestricted file path as input, allowing an attacker to read arbitrary files on the system.

CWE-798: Use of Hard-coded Credentials - CVE-2015-7251

In the ZXHN H108N R1A, the Telnet service, when enabled, is accessible using the hard-coded credentials 'root' for both the username and password.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2015-7252

In the ZXHN H108N R1A, the errorpage parameter of the webproc cgi module is vulnerable to reflected cross-site scripting.

Impact

A LAN-based attacker can obtain credentials and configuration information, bypass authentication, access arbitrary files, and gain complete control of affected devices. Note that in some configurations, an external attacker may be able to leverage these vulnerabilities.

Solution

Apply an update

The vendor has issued ZTE.bhs.ZXHNH108NR1A.k_PE to address the vulnerabilities affecting ZTE ZXHN H108N R1A. Users are encouraged to contact their Internet service provider for updates.

Note that W300 models are no longer officially supported and will not be receiving any updates. Users should consider the following workaround.

Discontinue use

ZTE states:

    The vulnerable W300 router was officially replaced by H108N V2.1 released in July 2014, and the vulnerable H108N was finished upgrading to version ZTE.bhs.ZXHNH108NR1A.k_PE through operator channel that all the vulnerabilities mentioned herein were fixed. ZTE recommends users to contact local operators for upgrade service.

Since patches will not be issued to address vulnerabilities in W300 routers, users should strongly consider discontinuing use of affected devices. Users of ISP-provisioned W300 devices should request replacement routers.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
ZTE CorporationAffected14 Aug 201530 Oct 2015
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base8.3AV:A/AC:L/Au:N/C:C/I:C/A:C
Temporal7.9E:F/RL:U/RC:C
Environmental5.9CDP:N/TD:M/CR:ND/IR:ND/AR:ND

References

  • https://cwe.mitre.org/data/definitions/200.html
  • https://cwe.mitre.org/data/definitions/285.html
  • https://cwe.mitre.org/data/definitions/288.html
  • http://cwe.mitre.org/data/definitions/22.html
  • http://cwe.mitre.org/data/definitions/798.html

Credit

Thanks to Karn Ganeshen for reporting these vulnerabilities.

This document was written by Joel Land.

Other Information

  • CVE IDs:CVE-2015-7248CVE-2015-7249CVE-2015-7250CVE-2015-7251CVE-2015-7252
  • Date Public:03 Nov 2015
  • Date First Published:03 Nov 2015
  • Date Last Updated:04 Nov 2015
  • Document Revision:32

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/391604

CWE : Common Weakness Enumeration

% Id Name
33 % CWE-200 Information Exposure
17 % CWE-264 Permissions, Privileges, and Access Controls
17 % CWE-255 Credentials Management
17 % CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)
17 % CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Os 1

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
Date Informations
2015-12-30 21:28:09
  • Multiple Updates
2015-12-30 09:27:30
  • Multiple Updates
2015-11-04 21:17:35
  • Multiple Updates
2015-11-04 17:21:07
  • Multiple Updates
2015-11-04 00:21:21
  • First insertion