Vulnerability-Lookup

CNVD-2023-09678

Vulnerability from cnvd - Published: 2023-02-17

Title

ZTE ZXMP M721信息泄露漏洞

Description

ZTE ZXMP M721是中国中兴通讯（ZTE）公司的一款城域边缘OTN（光传送网）设备。 ZTE ZXMP M721 commond21bootv100004_ls1045版本存在信息泄露漏洞，该漏洞源于ZBOOT接口的串口认证虽然开启，但并未生效，攻击者可利用漏洞登录设备获取敏感信息。

Severity

高

Patch Name

ZTE ZXMP M721信息泄露漏洞的补丁

Patch Description

ZTE ZXMP M721是中国中兴通讯（ZTE）公司的一款城域边缘OTN（光传送网）设备。 ZTE ZXMP M721 commond21bootv100004_ls1045版本存在信息泄露漏洞，该漏洞源于ZBOOT接口的串口认证虽然开启，但并未生效，攻击者可利用漏洞登录设备获取敏感信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1025264

Reference

https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1025264

Impacted products

Name
ZTE ZTE ZXMP M721 commond21bootv100004_ls1045

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-23141",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-23141"
    }
  },
  "description": "ZTE ZXMP M721\u662f\u4e2d\u56fd\u4e2d\u5174\u901a\u8baf\uff08ZTE\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u57ce\u57df\u8fb9\u7f18OTN\uff08\u5149\u4f20\u9001\u7f51\uff09\u8bbe\u5907\u3002\n\nZTE ZXMP M721 commond21bootv100004_ls1045\u7248\u672c\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eZBOOT\u63a5\u53e3\u7684\u4e32\u53e3\u8ba4\u8bc1\u867d\u7136\u5f00\u542f\uff0c\u4f46\u5e76\u672a\u751f\u6548\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u767b\u5f55\u8bbe\u5907\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1025264",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2023-09678",
  "openTime": "2023-02-17",
  "patchDescription": "ZTE ZXMP M721\u662f\u4e2d\u56fd\u4e2d\u5174\u901a\u8baf\uff08ZTE\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u57ce\u57df\u8fb9\u7f18OTN\uff08\u5149\u4f20\u9001\u7f51\uff09\u8bbe\u5907\u3002\r\n\r\nZTE ZXMP M721 commond21bootv100004_ls1045\u7248\u672c\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eZBOOT\u63a5\u53e3\u7684\u4e32\u53e3\u8ba4\u8bc1\u867d\u7136\u5f00\u542f\uff0c\u4f46\u5e76\u672a\u751f\u6548\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u767b\u5f55\u8bbe\u5907\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "ZTE ZXMP M721\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "ZTE ZTE ZXMP M721 commond21bootv100004_ls1045"
  },
  "referenceLink": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1025264",
  "serverity": "\u9ad8",
  "submitTime": "2022-07-19",
  "title": "ZTE ZXMP M721\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

CVE-2022-23141 (GCVE-0-2022-23141)

Vulnerability from cvelistv5 – Published: 2022-07-15 14:44 – Updated: 2024-08-03 03:36

Summary

ZXMP M721 has an information leak vulnerability. Since the serial port authentication on the ZBOOT interface is not effective although it is enabled, an attacker could use this vulnerability to log in to the device to obtain sensitive information.

Severity ?

No CVSS data available.

CWE

information leak

Assigner

zte

References

URL

Tags

https://support.zte.com.cn/support/news/LoopholeI…

x_refsource_MISC

Impacted products

	Vendor	Product	Version
	n/a	ZXMP M721	Affected: COMMOND21BOOTV100004_LS1045

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:36:19.935Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1025264"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ZXMP M721",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "COMMOND21BOOTV100004_LS1045"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "ZXMP M721 has an information leak vulnerability. Since the serial port authentication on the ZBOOT interface is not effective although it is enabled, an attacker could use this vulnerability to log in to the device to obtain sensitive information."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "information leak",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-07-15T14:44:50",
        "orgId": "6786b568-6808-4982-b61f-398b0d9679eb",
        "shortName": "zte"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1025264"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@zte.com.cn",
          "ID": "CVE-2022-23141",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "ZXMP M721",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "COMMOND21BOOTV100004_LS1045"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "ZXMP M721 has an information leak vulnerability. Since the serial port authentication on the ZBOOT interface is not effective although it is enabled, an attacker could use this vulnerability to log in to the device to obtain sensitive information."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "information leak"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1025264",
              "refsource": "MISC",
              "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1025264"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6786b568-6808-4982-b61f-398b0d9679eb",
    "assignerShortName": "zte",
    "cveId": "CVE-2022-23141",
    "datePublished": "2022-07-15T14:44:50",
    "dateReserved": "2022-01-11T00:00:00",
    "dateUpdated": "2024-08-03T03:36:19.935Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2023-09678

CVE-2022-23141 (GCVE-0-2022-23141)

Tags

Sightings

Nomenclature