10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.007 Low
EPSS
Percentile
79.7%
ZTE ZXHN H108N R1A router, version ZTE.bhs.ZXHNH108NR1A.h_PE, and ZXV10 W300 router, version W300V1.0.0f_ER1_PE, contain multiple vulnerabilities.
CWE-200: Information Exposure - CVE-2015-7248
Multiple information exposure vulnerabilities enable an attacker to obtain credentials and other sensitive details about the ZXHN H108N R1A.
http://<IP>/cgi-bin/webproc
CWE-285: Improper Authorization - CVE-2015-7249
By default, only admin
may authenticate directly with the web administration pages in the ZXHN H108N R1A. By manipulating parameters in client-side requests, an attacker may authenticate as another existing account, such as user
or support
, and may be able to perform actions otherwise not allowed. For instance, while authenticated as support
, directly accessing http://<IP>/cgi-bin/webproc?getpage=html/index.html&var:menu=maintenance&var:page=accessctrl&var:subpage=accountpsd
permits changing the password of user
.
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)- CVE-2015-7250
The webproc
cgi module of the ZXHN H108N R1A accepts a getpage
parameter which takes an unrestricted file path as input, allowing an attacker to read arbitrary files on the system.
CWE-798: Use of Hard-coded Credentials - CVE-2015-7251
In the ZXHN H108N R1A, the Telnet service, when enabled, is accessible using the hard-coded credentials ‘root’ for both the username and password.
CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)- CVE-2015-7252
errorpage
parameter of the webproc
cgi module is vulnerable to reflected cross-site scripting.A LAN-based attacker can obtain credentials and configuration information, bypass authentication, access arbitrary files, and gain complete control of affected devices. Note that in some configurations, an external attacker may be able to leverage these vulnerabilities.
Apply an update
The vendor has issued ZTE.bhs.ZXHNH108NR1A.k_PE to address the vulnerabilities affecting ZTE ZXHN H108N R1A. Users are encouraged to contact their Internet service provider for updates.
Note that W300 models are no longer officially supported and will not be receiving any updates. Users should consider the following workaround.
Discontinue use
ZTE states:
The vulnerable W300 router was officially replaced by H108N V2.1 released in July 2014, and the vulnerable H108N was finished upgrading to version ZTE.bhs.ZXHNH108NR1A.k_PE through operator channel that all the vulnerabilities mentioned herein were fixed. ZTE recommends users to contact local operators for upgrade service.
Since patches will not be issued to address vulnerabilities in W300 routers, users should strongly consider discontinuing use of affected devices. Users of ISP-provisioned W300 devices should request replacement routers.
391604
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: August 14, 2015 Updated: October 30, 2015
Statement Date: September 29, 2015
Affected
The vulnerable W300 router was officially replaced by H108N V2.1 released in July 2014, and the vulnerable H108N was finished upgrading to version ZTE.bhs.ZXHNH108NR1A.k_PE through operator channel that all the vulnerabilities mentioned herein were fixed. ZTE recommends users to contact local operators for upgrade service.
We are not aware of further vendor information regarding this vulnerability.
ZTE ZXHN H108N R1A router, version ZTE.bhs.ZXHNH108NR1A.h_PE, and ZXV10 W300 router, version W300V1.0.0f_ER1_PE, are affected as indicated.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23391604 Feedback>).
Group | Score | Vector |
---|---|---|
Base | 8.3 | AV:A/AC:L/Au:N/C:C/I:C/A:C |
Temporal | 7.9 | E:F/RL:U/RC:C |
Environmental | 5.9 | CDP:N/TD:M/CR:ND/IR:ND/AR:ND |
Thanks to Karn Ganeshen for reporting these vulnerabilities.
This document was written by Joel Land.
CVE IDs: | CVE-2015-7248, CVE-2015-7249, CVE-2015-7250, CVE-2015-7251, CVE-2015-7252 |
---|---|
Date Public: | 2015-11-03 Date First Published: |
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.007 Low
EPSS
Percentile
79.7%