Sign-up

ID

VAR-201908-0067


CVE

CVE-2019-3417


TITLE

ZTE ZXHN F670 Command Injection Vulnerability

Trust: 1.4

sources: CNVD: CNVD-2019-41898 // JVNDB: JVNDB-2019-008356

DESCRIPTION

All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by command injection vulnerability. Due to insufficient parameter validation check, an authorized user can exploit this vulnerability to take control of user router system. ZTE ZXHN F670 Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ZTE ZXHN F670 is a modem from China ZTE Corporation (ZTE). An attacker could exploit the vulnerability to execute an illegal command. This vulnerability stems from the fact that the network system or product does not correctly filter special elements in the process of constructing executable commands from external input data

Trust: 2.25

sources: NVD: CVE-2019-3417 // JVNDB: JVNDB-2019-008356 // CNVD: CNVD-2019-41898 // VULHUB: VHN-154852

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2019-41898

AFFECTED PRODUCTS

vendor:ztemodel:zxhn f670scope:lteversion:1.1.10p3t18

Trust: 1.8

vendor:ztemodel:zxhn f670 <=1.1.10p3t18scope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2019-41898 // JVNDB: JVNDB-2019-008356 // NVD: CVE-2019-3417

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-3417
value: HIGH

Trust: 1.0

psirt@zte.com.cn: CVE-2019-3417
value: HIGH

Trust: 1.0

NVD: CVE-2019-3417
value: HIGH

Trust: 0.8

CNVD: CNVD-2019-41898
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201908-1108
value: HIGH

Trust: 0.6

VULHUB: VHN-154852
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-3417
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2019-41898
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-154852
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-3417
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

psirt@zte.com.cn: CVE-2019-3417
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 1.7
impactScore: 5.8
version: 3.0

Trust: 1.0

NVD: CVE-2019-3417
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2019-41898 // VULHUB: VHN-154852 // JVNDB: JVNDB-2019-008356 // CNNVD: CNNVD-201908-1108 // NVD: CVE-2019-3417 // NVD: CVE-2019-3417

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.1

problemtype:CWE-77

Trust: 0.9

sources: VULHUB: VHN-154852 // JVNDB: JVNDB-2019-008356 // NVD: CVE-2019-3417

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201908-1108

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201908-1108

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-008356

PATCH
title:Two Vulnerabilities in ZTE ZXHN F670 Producturl:http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1010163
Trust: 0.8
title:Patch for ZTE ZXHN F670 Command Injection Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/191429
Trust: 0.6
title:ZTE ZXHN F670 Fixes for command injection vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=96773
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2019-41898 // 
            
            
            
            JVNDB: JVNDB-2019-008356 // 
            
            
            
            CNNVD: CNNVD-201908-1108

EXTERNAL IDS
db:NVDid:CVE-2019-3417
Trust: 3.1
db:ZTEid:1010163
Trust: 1.7
db:JVNDBid:JVNDB-2019-008356
Trust: 0.8
db:CNNVDid:CNNVD-201908-1108
Trust: 0.7
db:CNVDid:CNVD-2019-41898
Trust: 0.6
db:VULHUBid:VHN-154852
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2019-41898 // 
            
            
            
            VULHUB: VHN-154852 // 
            
            
            
            JVNDB: JVNDB-2019-008356 // 
            
            
            
            CNNVD: CNNVD-201908-1108 // 
            
            
            
            NVD: CVE-2019-3417

REFERENCES
url:https://nvd.nist.gov/vuln/detail/cve-2019-3417
Trust: 2.0
url:http://support.zte.com.cn/support/news/loopholeinfodetail.aspx?newsid=1010163
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-3417
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2019-41898 // 
            
            
            
            VULHUB: VHN-154852 // 
            
            
            
            JVNDB: JVNDB-2019-008356 // 
            
            
            
            CNNVD: CNNVD-201908-1108 // 
            
            
            
            NVD: CVE-2019-3417

CREDITS
Egor Dimitrenko and Alexandr Shvetsov at Positive Technologies
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201908-1108

SOURCES
db:CNVDid:CNVD-2019-41898
db:VULHUBid:VHN-154852
db:JVNDBid:JVNDB-2019-008356
db:CNNVDid:CNNVD-201908-1108
db:NVDid:CVE-2019-3417

LAST UPDATE DATE
2024-11-23T22:16:56.119000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2019-41898date:2019-11-22T00:00:00
db:VULHUBid:VHN-154852date:2023-03-03T00:00:00
db:JVNDBid:JVNDB-2019-008356date:2019-08-29T00:00:00
db:CNNVDid:CNNVD-201908-1108date:2020-10-28T00:00:00
db:NVDid:CVE-2019-3417date:2024-11-21T04:42:03.537

SOURCES RELEASE DATE
db:CNVDid:CNVD-2019-41898date:2019-11-21T00:00:00
db:VULHUBid:VHN-154852date:2019-08-15T00:00:00
db:JVNDBid:JVNDB-2019-008356date:2019-08-29T00:00:00
db:CNNVDid:CNNVD-201908-1108date:2019-08-15T00:00:00
db:NVDid:CVE-2019-3417date:2019-08-15T15:15:16.500