ZTE ZXHN H108N R1A router, version ZTE.bhs.ZXHNH108NR1A.h_PE, and ZXV10 W300 router, version W300V1.0.0f_ER1_PE, contain multiple vulnerabilities.
CWE-200: Information Exposure - CVE-2015-7248
Multiple information exposure vulnerabilities enable an attacker to obtain credentials and other sensitive details about the ZXHN H108N R1A.
CWE-285: Improper Authorization - CVE-2015-7249
By default, only admin may authenticate directly with the web administration pages in the ZXHN H108N R1A. By manipulating parameters in client-side requests, an attacker may authenticate as another existing account, such as user or support, and may be able to perform actions otherwise not allowed. For instance, while authenticated as support, directly accessing http://<IP>/cgi-bin/webproc?getpage=html/index.html&var:menu=maintenance&var:page=accessctrl&var:subpage=accountpsd permits changing the password of user.
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - CVE-2015-7250
The webproc cgi module of the ZXHN H108N R1A accepts a getpage parameter which takes an unrestricted file path as input, allowing an attacker to read arbitrary files on the system.
CWE-798: Use of Hard-coded Credentials - CVE-2015-7251
In the ZXHN H108N R1A, the Telnet service, when enabled, is accessible using the hard-coded credentials 'root' for both the username and password.
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2015-7252
In the ZXHN H108N R1A, the errorpage parameter of the webproc cgi module is vulnerable to reflected cross-site scripting.
A LAN-based attacker can obtain credentials and configuration information, bypass authentication, access arbitrary files, and gain complete control of affected devices. Note that in some configurations, an external attacker may be able to leverage these vulnerabilities.
Apply an update
Thanks to Karn Ganeshen for reporting these vulnerabilities.
This document was written by Joel Land.