ZTE ZXV10 W300 router contains hardcoded credentials

2014-02-09 / 2014-02-10

Credit: USCERT

Risk: High

Local: No

Remote: Yes

CVE: CVE-2014-0329

CWE: CWE-798

CVSS Base Score: 9.3/10

Impact Subscore: 10/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: Complete

Integrity impact: Complete

Availability impact: Complete

Overview
ZTE ZXV10 W300 router version 2.1.0, and possibly earlier versions, contains hardcoded credentials. (CWE-798)
Description
ZTE ZXV10 W300 router contains hardcoded credentials that are useable for the telnet service on the device. The username is "admin" and the password is "XXXXairocon" where "XXXX" is the last four characters of the device's MAC address. The MAC address is obtainable over SNMP with community string public.
Impact
A remote unauthenticated attacker may be able to obtain the MAC address of the device and log into the telnet service of the device with hardcoded credentials.
Solution
We are currently unaware of a practical solution to this problem. Please consider the following workaround.
Restrict Access
Enable firewall rules so the telnet service of the device is not accessible to untrusted sources. Enable firewall rules that block SNMP on the device.

References:

http://www.kb.cert.org/vuls/id/228886

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

ZTE ZXV10 W300 router contains hardcoded credentials

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.