CVE-2018-7364 - OpenCVE

All versions up to ZXINOS-RESV1.01.43 of the ZTE ZXIN10 product European region are impacted by improper access control vulnerability. Due to improper access control to devcomm process, an unauthorized remote attacker can exploit this vulnerability to execute arbitrary code with root privileges.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Zte	Zxin10

Configuration 1 [-]

cpe:2.3:a:zte:zxin10:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009943
https://github.com/orangecertcc/security-research/security/advisories/GHSA-34f2-7h57-rg7p
https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009943

History

No history.

MITRE

Status: PUBLISHED

Assigner: zte

Published: 2018-12-07T00:00:00

Updated: 2024-08-05T06:24:11.900Z

Reserved: 2018-02-22T00:00:00

Link: CVE-2018-7364

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2018-12-07T14:29:00.727

Modified: 2023-03-01T18:09:54.933

Link: CVE-2018-7364

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2018-7364", "assignerOrgId": "6786b568-6808-4982-b61f-398b0d9679eb", "assignerShortName": "zte", "dateUpdated": "2024-08-05T06:24:11.900Z", "dateReserved": "2018-02-22T00:00:00", "datePublished": "2018-12-07T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "6786b568-6808-4982-b61f-398b0d9679eb", "shortName": "zte", "dateUpdated": "2023-01-25T00:00:00"}, "descriptions": [{"lang": "en", "value": "All versions up to ZXINOS-RESV1.01.43 of the ZTE ZXIN10 product European region are impacted by improper access control vulnerability. Due to improper access control to devcomm process, an unauthorized remote attacker can exploit this vulnerability to execute arbitrary code with root privileges."}], "affected": [{"vendor": "ZTE", "product": "ZXIN10-European region", "versions": [{"version": "unspecified", "lessThanOrEqual": "ZXINOS-RESV1.01.43", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009943"}, {"url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009943"}, {"url": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-34f2-7h57-rg7p"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-284: Improper Access Control", "cweId": "CWE-284"}]}], "source": {"discovery": "UNKNOWN"}, "datePublic": "2018-12-07T00:00:00"}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T06:24:11.900Z"}, "title": "CVE Program Container", "references": [{"url": "http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009943", "tags": ["x_transferred"]}, {"url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009943", "tags": ["x_transferred"]}, {"url": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-34f2-7h57-rg7p", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zte:zxin10:*:*:*:*:*:*:*:*", "matchCriteriaId": "B99E6EFC-284A-43C7-8F76-D4D69B17FCE7", "versionEndExcluding": "resv1.01.44", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "All versions up to ZXINOS-RESV1.01.43 of the ZTE ZXIN10 product European region are impacted by improper access control vulnerability. Due to improper access control to devcomm process, an unauthorized remote attacker can exploit this vulnerability to execute arbitrary code with root privileges."}, {"lang": "es", "value": "Todas las versiones hasta la ZXINOS-RESV1.01.43 del producto ZTE ZXIN10, en la regi\u00f3n europea, se han visto impactadas por una vulnerabilidad de control de acceso incorrecto. Debido al control de acceso incorrecto al proceso devcomm, un atacante remoto no autorizado puede explotar esta vulnerabilidad para ejecutar c\u00f3digo arbitrario con privilegios root."}], "id": "CVE-2018-7364", "lastModified": "2023-03-01T18:09:54.933", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.6, "impactScore": 6.0, "source": "psirt@zte.com.cn", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-12-07T14:29:00.727", "references": [{"source": "psirt@zte.com.cn", "tags": ["Vendor Advisory"], "url": "http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009943"}, {"source": "psirt@zte.com.cn", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-34f2-7h57-rg7p"}, {"source": "psirt@zte.com.cn", "tags": ["Vendor Advisory"], "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009943"}], "sourceIdentifier": "psirt@zte.com.cn", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "psirt@zte.com.cn", "type": "Secondary"}]}