Default Accounts : ZTE ZXV10 W300 Wireless Router Hardcoded Credentials Security Bypass Vulnerability (SNMP/Telnet)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.103903

Categoría: Default Accounts

Título: ZTE ZXV10 W300 Wireless Router Hardcoded Credentials Security Bypass Vulnerability (SNMP/Telnet)

Resumen: ZTE ZXV10 W300 wireless router is prone to a security-bypass; vulnerability.

Descripción: Summary:
ZTE ZXV10 W300 wireless router is prone to a security-bypass
vulnerability.

Vulnerability Insight:
The TELNET service on the ZTE ZXV10 W300 router 2.1.0
has a hardcoded password ending with airocon for the admin account,
which allows remote attackers to obtain administrative access by
leveraging knowledge of the MAC address characters present at the
beginning of the password.

Vulnerability Impact:
Attackers can exploit this issue to bypass the authentication
mechanism and gain access to the vulnerable device.

Affected Software/OS:
ZTE ZXV10 W300 running firmware version 2.1.0 is vulnerable. Other
versions may also be affected.

Update 2015-08-28: At least the following models are also affected:

Asus: DSL N12E

Digicom: DG-5524T

Observa :RTA01N

PLDT: SpeedSurf 504AN

ZTE: ZXV10 W300

Solution:
No known solution was made available for at least one year since
the disclosure of this vulnerability. Likely none will be provided anymore. General solution options
are to upgrade to a newer release, disable respective features, remove the product or replace the
product by another one.

CVSS Score:
9.3

CVSS Vector:
AV:N/AC:M/Au:N/C:C/I:C/A:C

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2014-0329
BugTraq ID: 65310
http://www.securityfocus.com/bid/65310
CERT/CC vulnerability note: VU#228886
http://www.kb.cert.org/vuls/id/228886
http://blog.alguien.at/2014/02/hackeando-el-router-zte-zxv10-w300-v21.html
http://packetstormsecurity.com/files/125142/ZTE-ZXV10-W300-Hardcoded-Credentials.html
http://osvdb.org/102816
XForce ISS Database: zxv10-w300-cve20140329-sec-bypass(90958)
https://exchange.xforce.ibmcloud.com/vulnerabilities/90958

Copyright Copyright (C) 2014 Greenbone AG

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.103903
Categoría:	Default Accounts
Título:	ZTE ZXV10 W300 Wireless Router Hardcoded Credentials Security Bypass Vulnerability (SNMP/Telnet)
Resumen:	ZTE ZXV10 W300 wireless router is prone to a security-bypass; vulnerability.
Descripción:	Summary: ZTE ZXV10 W300 wireless router is prone to a security-bypass vulnerability. Vulnerability Insight: The TELNET service on the ZTE ZXV10 W300 router 2.1.0 has a hardcoded password ending with airocon for the admin account, which allows remote attackers to obtain administrative access by leveraging knowledge of the MAC address characters present at the beginning of the password. Vulnerability Impact: Attackers can exploit this issue to bypass the authentication mechanism and gain access to the vulnerable device. Affected Software/OS: ZTE ZXV10 W300 running firmware version 2.1.0 is vulnerable. Other versions may also be affected. Update 2015-08-28: At least the following models are also affected: Asus: DSL N12E Digicom: DG-5524T Observa :RTA01N PLDT: SpeedSurf 504AN ZTE: ZXV10 W300 Solution: No known solution was made available for at least one year since the disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one. CVSS Score: 9.3 CVSS Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2014-0329 BugTraq ID: 65310 http://www.securityfocus.com/bid/65310 CERT/CC vulnerability note: VU#228886 http://www.kb.cert.org/vuls/id/228886 http://blog.alguien.at/2014/02/hackeando-el-router-zte-zxv10-w300-v21.html http://packetstormsecurity.com/files/125142/ZTE-ZXV10-W300-Hardcoded-Credentials.html http://osvdb.org/102816 XForce ISS Database: zxv10-w300-cve20140329-sec-bypass(90958) https://exchange.xforce.ibmcloud.com/vulnerabilities/90958
Copyright	Copyright (C) 2014 Greenbone AG