Details of VAR-201708-0146

ID

VAR-201708-0146

CVE

CVE-2015-7259

TITLE

ZTE ADSL ZXV10 W300 Vulnerability related to certificate / password management in modem

Trust: 0.8

sources: JVNDB: JVNDB-2015-007770

DESCRIPTION

ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow user accounts to have multiple valid username and password pairs, which allows remote authenticated users to login to a target account via any of its username and password pairs. ZTE ADSL ZXV10 W300 Modems contain vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ZTEADSLZXV10W300 is an ADSL modem (Modem) product from China ZTE Corporation (ZTE). A security vulnerability exists in the ZTEADSLZXV10W300W300V2.1.0f_ER7_PE_O57 version and the W300V2.1.0h_ER7_PE_O57 version. There are security vulnerabilities in ZTE ADSL ZXV10 W300 W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57. Other functions may be vulnerable as well. *Expected behavior:* Only administrative 'admin' user should be able to change password for all the device users. 'support' is a diagnostic user with restricted privileges. It can change only its own password. *Vulnerability:* Any non-admin user can change 'admin' password. *Steps to reproduce:* a. Login as user 'support' password XXX b. Access Password Change page - http://<IP>/password.htm c. Submit request d. Intercept and Tamper the parameter username change from 'support' to 'admin' e. Enter the new password > old password is not requested > Submit > Login as admin -> Pwn! 2 *Sensitive information disclosure - clear-text passwords* Displaying user information over Telnet connection, shows all valid users and their passwords in clear-text. *CVE-ID*: CVE-2015-7258 *Steps to reproduce:* $ telnet <IP> Trying <IP>... Connected to <IP>. Escape character is '^]'. It is possible to log in to device with either of the username/password combination. *CVE-ID*: CVE-2015-7259 It is considered as a (redundant) login support *feature*. *Steps to reproduce:* $ telnet <IP> Trying <IP>... Connected to <IP>. Escape character is '^]'. User Access Verification User Access Verification Username: admin Password: <-- admin/password3 $sh ADSL#login show Username Password Priority admin password1 2 support password2 0 admin password3 1 +++++ Best Regards, Karn Ganeshen -- Best Regards, Karn Ganeshen

Trust: 2.34

sources: NVD: CVE-2015-7259 // JVNDB: JVNDB-2015-007770 // CNVD: CNVD-2017-28179 // VULHUB: VHN-85220 // PACKETSTORM: 134336

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2017-28179

AFFECTED PRODUCTS

vendor:	zte	model:	zxv10 w300	scope:	eq	version:	w300v2.1.0f_er7_pe_o57	Trust: 2.4
vendor:	zte	model:	zxv10 w300	scope:	eq	version:	w300v2.1.0h_er7_pe_o57	Trust: 2.4
vendor:	zte	model:	adsl zxv10 w300 w300v2.1.0f er7 pe o57	scope:	-	version:	-	Trust: 0.6
vendor:	zte	model:	adsl zxv10 w300 w300v2.1.0h er7 pe o57	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2017-28179 // JVNDB: JVNDB-2015-007770 // CNNVD: CNNVD-201708-1097 // NVD: CVE-2015-7259

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-7259
value:	HIGH
Trust: 1.0
NVD:	CVE-2015-7259
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2017-28179
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201708-1097
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-85220
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2015-7259
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-28179
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-85220
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2015-7259
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2017-28179 // VULHUB: VHN-85220 // JVNDB: JVNDB-2015-007770 // CNNVD: CNNVD-201708-1097 // NVD: CVE-2015-7259

PROBLEMTYPE DATA

problemtype:

CWE-255

Trust: 1.9

sources: VULHUB: VHN-85220 // JVNDB: JVNDB-2015-007770 // NVD: CVE-2015-7259

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201708-1097

TYPE

trust management

Trust: 0.6

sources: CNNVD: CNNVD-201708-1097

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-007770

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-85220

PATCH

title:

ZXV10 W300

url:

http://wwwen.zte.com.cn/pub/en/products/access/cpe/201111/t20111110_262340.html

Trust: 0.8

sources: JVNDB: JVNDB-2015-007770

EXTERNAL IDS

db:	NVD	id:	CVE-2015-7259	Trust: 3.2
db:	EXPLOIT-DB	id:	38772	Trust: 2.3
db:	PACKETSTORM	id:	134336	Trust: 1.8
db:	PACKETSTORM	id:	134493	Trust: 1.7
db:	JVNDB	id:	JVNDB-2015-007770	Trust: 0.8
db:	CNNVD	id:	CNNVD-201708-1097	Trust: 0.7
db:	CNVD	id:	CNVD-2017-28179	Trust: 0.6
db:	VULHUB	id:	VHN-85220	Trust: 0.1

sources: CNVD: CNVD-2017-28179 // VULHUB: VHN-85220 // JVNDB: JVNDB-2015-007770 // PACKETSTORM: 134336 // CNNVD: CNNVD-201708-1097 // NVD: CVE-2015-7259

REFERENCES

url:	http://seclists.org/fulldisclosure/2015/nov/48	Trust: 2.5
url:	https://www.exploit-db.com/exploits/38772/	Trust: 2.3
url:	http://packetstormsecurity.com/files/134336/zte-adsl-authorization-bypass-information-disclosure.html	Trust: 1.7
url:	http://packetstormsecurity.com/files/134493/zte-adsl-zxv10-w300-authorization-disclosure-backdoor.html	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2015-7259	Trust: 1.5
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7259	Trust: 0.8
url:	http://<ip>/password.htm	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2015-7258	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2015-7257	Trust: 0.1

sources: CNVD: CNVD-2017-28179 // VULHUB: VHN-85220 // JVNDB: JVNDB-2015-007770 // PACKETSTORM: 134336 // CNNVD: CNNVD-201708-1097 // NVD: CVE-2015-7259

CREDITS

Karn Ganeshen

Trust: 0.1

sources: PACKETSTORM: 134336

SOURCES

db:	CNVD	id:	CNVD-2017-28179
db:	VULHUB	id:	VHN-85220
db:	JVNDB	id:	JVNDB-2015-007770
db:	PACKETSTORM	id:	134336
db:	CNNVD	id:	CNNVD-201708-1097
db:	NVD	id:	CVE-2015-7259

LAST UPDATE DATE

2025-04-20T23:27:21.707000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-28179	date:	2017-09-26T00:00:00
db:	VULHUB	id:	VHN-85220	date:	2017-08-29T00:00:00
db:	JVNDB	id:	JVNDB-2015-007770	date:	2017-09-19T00:00:00
db:	CNNVD	id:	CNNVD-201708-1097	date:	2017-08-25T00:00:00
db:	NVD	id:	CVE-2015-7259	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2017-28179	date:	2017-09-26T00:00:00
db:	VULHUB	id:	VHN-85220	date:	2017-08-24T00:00:00
db:	JVNDB	id:	JVNDB-2015-007770	date:	2017-09-19T00:00:00
db:	PACKETSTORM	id:	134336	date:	2015-11-14T13:33:33
db:	CNNVD	id:	CNNVD-201708-1097	date:	2017-08-25T00:00:00
db:	NVD	id:	CVE-2015-7259	date:	2017-08-24T20:29:00.473