Details of VAR-201906-0180

ID

VAR-201906-0180

CVE

CVE-2019-3409

TITLE

WF820+ LTE Outdoor CPE Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-005456

DESCRIPTION

All versions up to UKBB_WF820+_1.0.0B06 of ZTE WF820+ LTE Outdoor CPE product are impacted by command injection vulnerability. Due to inadequate parameter verification, unauthorized users can take advantage of this vulnerability to control the user terminal system. ZTE WF820+ LTE Outdoor CPE is an outdoor CPE (Customer Premise Equipment) device from China ZTE Corporation. This vulnerability stems from the external input data constructing executable commands, and the network system or product does not properly filter the special elements. An attacker could exploit the vulnerability to execute an illegal command

Trust: 2.16

sources: NVD: CVE-2019-3409 // JVNDB: JVNDB-2019-005456 // CNVD: CNVD-2019-41443

IOT TAXONOMY

category:	['Network device']	sub_category:	-	Trust: 0.6
category:	['network device']	sub_category:	router	Trust: 0.1

sources: OTHER: None // CNVD: CNVD-2019-41443

AFFECTED PRODUCTS

vendor:	zte	model:	wf820\+ lte outdoor cpe	scope:	lt	version:	1.0.0b06	Trust: 1.0
vendor:	zte	model:	wf820+ lte outdoor cpe	scope:	lte	version:	ukbb_wf820+_1.0.0b06	Trust: 0.8
vendor:	zte	model:	wf820+ lte outdoor cpe <ukbb wf820+ 1.0.0b06	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2019-41443 // JVNDB: JVNDB-2019-005456 // NVD: CVE-2019-3409

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-3409
value:	HIGH
Trust: 1.0
psirt@zte.com.cn:	CVE-2019-3409
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2019-3409
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2019-41443
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201906-373
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2019-3409
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-41443
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2019-3409
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8
psirt@zte.com.cn:	CVE-2019-3409
baseSeverity:	CRITICAL
baseScore:	9.0
vectorString:	CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.3
impactScore:	6.0
version:	3.0
Trust: 1.0

sources: CNVD: CNVD-2019-41443 // JVNDB: JVNDB-2019-005456 // CNNVD: CNNVD-201906-373 // NVD: CVE-2019-3409 // NVD: CVE-2019-3409

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.0
problemtype:	CWE-77	Trust: 0.8

sources: JVNDB: JVNDB-2019-005456 // NVD: CVE-2019-3409

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201906-373

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201906-373

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-005456

PATCH

title:	Two Vulnerabilities in ZTE WF820+ LTE Outdoor CPE Product	url:	http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1010662	Trust: 0.8
title:	Patch for ZTE WF820+ LTE Outdoor CPE Command Injection Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/191131	Trust: 0.6
title:	ZTE WF820+ LTE Outdoor CPE Fixes for command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=93615	Trust: 0.6

sources: CNVD: CNVD-2019-41443 // JVNDB: JVNDB-2019-005456 // CNNVD: CNNVD-201906-373

EXTERNAL IDS

db:	NVD	id:	CVE-2019-3409	Trust: 3.1
db:	ZTE	id:	1010662	Trust: 2.2
db:	JVNDB	id:	JVNDB-2019-005456	Trust: 0.8
db:	CNVD	id:	CNVD-2019-41443	Trust: 0.6
db:	CNNVD	id:	CNNVD-201906-373	Trust: 0.6
db:	OTHER	id:	NONE	Trust: 0.1

sources: OTHER: None // CNVD: CNVD-2019-41443 // JVNDB: JVNDB-2019-005456 // CNNVD: CNNVD-201906-373 // NVD: CVE-2019-3409

REFERENCES

url:	http://support.zte.com.cn/support/news/loopholeinfodetail.aspx?newsid=1010662	Trust: 2.2
url:	https://nvd.nist.gov/vuln/detail/cve-2019-3409	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-3409	Trust: 0.8
url:	https://ieeexplore.ieee.org/abstract/document/10769424	Trust: 0.1

sources: OTHER: None // CNVD: CNVD-2019-41443 // JVNDB: JVNDB-2019-005456 // CNNVD: CNNVD-201906-373 // NVD: CVE-2019-3409

SOURCES

db:	OTHER	id:	-
db:	CNVD	id:	CNVD-2019-41443
db:	JVNDB	id:	JVNDB-2019-005456
db:	CNNVD	id:	CNNVD-201906-373
db:	NVD	id:	CVE-2019-3409

LAST UPDATE DATE

2025-01-30T21:22:46.350000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-41443	date:	2019-11-20T00:00:00
db:	JVNDB	id:	JVNDB-2019-005456	date:	2019-06-20T00:00:00
db:	CNNVD	id:	CNNVD-201906-373	date:	2020-10-28T00:00:00
db:	NVD	id:	CVE-2019-3409	date:	2024-11-21T04:42:02.670

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-41443	date:	2019-11-20T00:00:00
db:	JVNDB	id:	JVNDB-2019-005456	date:	2019-06-20T00:00:00
db:	CNNVD	id:	CNNVD-201906-373	date:	2019-06-11T00:00:00
db:	NVD	id:	CVE-2019-3409	date:	2019-06-11T19:29:00.810