Details of VAR-201708-0144

ID

VAR-201708-0144

CVE

CVE-2015-7257

TITLE

ZTE ADSL ZXV10 W300 Modem password management vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2015-007769

DESCRIPTION

ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow remote authenticated non-administrator users to change the admin password by intercepting an outgoing password change request, and changing the username parameter from "support" to "admin". ZTE ADSL ZXV10 W300 Modems are vulnerable to password management functions.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ZTEADSLZXV10W300 is an ADSL modem (Modem) product from China ZTE Corporation (ZTE). A security vulnerability exists in the ZTEADSLZXV10W300W300V2.1.0f_ER7_PE_O57 version and the W300V2.1.0h_ER7_PE_O57 version. There are security vulnerabilities in ZTE ADSL ZXV10 W300 W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57. *ZTE ADSL modems - Multiple vulnerabilities* Confirmed on 2 (of multiple) software versions - *W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57* 1 *Insufficient authorization controls* *CVE-ID*: CVE-2015-7257 Observed in Password Change functionality. Other functions may be vulnerable as well. 'support' is a diagnostic user with restricted privileges. *Steps to reproduce:* a. Login as user 'support' password XXX b. Access Password Change page - http://<IP>/password.htm c. Submit request d. Enter the new password > old password is not requested > Submit > Login as admin -> Pwn! 2 *Sensitive information disclosure - clear-text passwords* Displaying user information over Telnet connection, shows all valid users and their passwords in clear-text. *CVE-ID*: CVE-2015-7258 *Steps to reproduce:* $ telnet <IP> Trying <IP>... Connected to <IP>. Escape character is '^]'. User Access Verification Username: admin Password: < admin/XXX1 $sh ADSL#login show <-- shows user information Username Password Priority admin password1 2 support password2 0 admin password3 1 3 *(Potential) Backdoor account feature - **insecure account management* Same login account can exist on the device, multiple times, each with different priority#. It is possible to log in to device with either of the username/password combination. *CVE-ID*: CVE-2015-7259 It is considered as a (redundant) login support *feature*. *Steps to reproduce:* $ telnet <IP> Trying <IP>... Connected to <IP>. Escape character is '^]'

Trust: 2.34

sources: NVD: CVE-2015-7257 // JVNDB: JVNDB-2015-007769 // CNVD: CNVD-2017-28177 // VULHUB: VHN-85218 // PACKETSTORM: 134336

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2017-28177

AFFECTED PRODUCTS

vendor:	zte	model:	zxv10 w300	scope:	eq	version:	w300v2.1.0f_er7_pe_o57	Trust: 2.4
vendor:	zte	model:	zxv10 w300	scope:	eq	version:	w300v2.1.0h_er7_pe_o57	Trust: 2.4
vendor:	zte	model:	adsl zxv10 w300 w300v2.1.0f er7 pe o57	scope:	-	version:	-	Trust: 0.6
vendor:	zte	model:	adsl zxv10 w300 w300v2.1.0h er7 pe o57	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2017-28177 // JVNDB: JVNDB-2015-007769 // CNNVD: CNNVD-201708-1099 // NVD: CVE-2015-7257

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-7257
value:	HIGH
Trust: 1.0
NVD:	CVE-2015-7257
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2017-28177
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201708-1099
value:	HIGH
Trust: 0.6
VULHUB:	VHN-85218
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2015-7257
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:M/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.8
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-28177
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:M/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.8
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-85218
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:M/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.8
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2015-7257
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.6
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2017-28177 // VULHUB: VHN-85218 // JVNDB: JVNDB-2015-007769 // CNNVD: CNNVD-201708-1099 // NVD: CVE-2015-7257

PROBLEMTYPE DATA

problemtype:

CWE-640

Trust: 1.9

sources: VULHUB: VHN-85218 // JVNDB: JVNDB-2015-007769 // NVD: CVE-2015-7257

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201708-1099

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201708-1099

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-007769

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-85218

PATCH

title:

ZXV10 W300

url:

http://wwwen.zte.com.cn/pub/en/products/access/cpe/201111/t20111110_262340.html

Trust: 0.8

sources: JVNDB: JVNDB-2015-007769

EXTERNAL IDS

db:	NVD	id:	CVE-2015-7257	Trust: 3.2
db:	EXPLOIT-DB	id:	38772	Trust: 2.3
db:	PACKETSTORM	id:	134336	Trust: 1.8
db:	PACKETSTORM	id:	134493	Trust: 1.7
db:	JVNDB	id:	JVNDB-2015-007769	Trust: 0.8
db:	CNNVD	id:	CNNVD-201708-1099	Trust: 0.7
db:	CNVD	id:	CNVD-2017-28177	Trust: 0.6
db:	VULHUB	id:	VHN-85218	Trust: 0.1

sources: CNVD: CNVD-2017-28177 // VULHUB: VHN-85218 // JVNDB: JVNDB-2015-007769 // PACKETSTORM: 134336 // CNNVD: CNNVD-201708-1099 // NVD: CVE-2015-7257

REFERENCES

url:	http://seclists.org/fulldisclosure/2015/nov/48	Trust: 2.5
url:	https://www.exploit-db.com/exploits/38772/	Trust: 2.3
url:	http://packetstormsecurity.com/files/134336/zte-adsl-authorization-bypass-information-disclosure.html	Trust: 1.7
url:	http://packetstormsecurity.com/files/134493/zte-adsl-zxv10-w300-authorization-disclosure-backdoor.html	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2015-7257	Trust: 1.5
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7257	Trust: 0.8
url:	http://<ip>/password.htm	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2015-7259	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2015-7258	Trust: 0.1

sources: CNVD: CNVD-2017-28177 // VULHUB: VHN-85218 // JVNDB: JVNDB-2015-007769 // PACKETSTORM: 134336 // CNNVD: CNNVD-201708-1099 // NVD: CVE-2015-7257

CREDITS

Karn Ganeshen

Trust: 0.1

sources: PACKETSTORM: 134336

SOURCES

db:	CNVD	id:	CNVD-2017-28177
db:	VULHUB	id:	VHN-85218
db:	JVNDB	id:	JVNDB-2015-007769
db:	PACKETSTORM	id:	134336
db:	CNNVD	id:	CNNVD-201708-1099
db:	NVD	id:	CVE-2015-7257

LAST UPDATE DATE

2025-04-20T23:27:21.742000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-28177	date:	2017-09-26T00:00:00
db:	VULHUB	id:	VHN-85218	date:	2017-08-29T00:00:00
db:	JVNDB	id:	JVNDB-2015-007769	date:	2017-09-19T00:00:00
db:	CNNVD	id:	CNNVD-201708-1099	date:	2017-08-25T00:00:00
db:	NVD	id:	CVE-2015-7257	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2017-28177	date:	2017-09-26T00:00:00
db:	VULHUB	id:	VHN-85218	date:	2017-08-24T00:00:00
db:	JVNDB	id:	JVNDB-2015-007769	date:	2017-09-19T00:00:00
db:	PACKETSTORM	id:	134336	date:	2015-11-14T13:33:33
db:	CNNVD	id:	CNNVD-201708-1099	date:	2017-08-25T00:00:00
db:	NVD	id:	CVE-2015-7257	date:	2017-08-24T20:29:00.393