CVE-2021-21723

Some ZTE products have a DoS vulnerability. Due to the improper handling of memory release in some specific scenarios, a remote attacker can trigger the vulnerability by performing a series of operations, resulting in memory leak, which may eventually lead to device denial of service. This affects: ZXR10 9904, ZXR10 9908, ZXR10 9916, ZXR10 9904-S, ZXR10 9908-S; all versions up to V1.01.10.B12.

CVSS v3 7.5 HIGH
CVSS v2.0 4.3 MEDIUM

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:N/A:P

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1014424	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:h:zte:zxr10_9904:-:*:*:*:*:*:*:*

cpe:2.3:o:zte:zxr10_9904_firmware:*:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:h:zte:zxr10_9908:-:*:*:*:*:*:*:*

cpe:2.3:o:zte:zxr10_9908_firmware:*:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:h:zte:zxr10_9916:-:*:*:*:*:*:*:*

cpe:2.3:o:zte:zxr10_9916_firmware:*:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:h:zte:zxr10_9904-s:-:*:*:*:*:*:*:*

cpe:2.3:o:zte:zxr10_9904-s_firmware:*:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:h:zte:zxr10_9908-s:-:*:*:*:*:*:*:*

cpe:2.3:o:zte:zxr10_9908-s_firmware:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2021-01-26 18:16

Updated : 2021-02-02 21:19

NVD link : CVE-2021-21723

Mitre link : CVE-2021-21723

CVE.ORG link : CVE-2021-21723

JSON object : View

Products Affected

zte

zxr10_9916
zxr10_9904-s
zxr10_9904
zxr10_9908_firmware
zxr10_9916_firmware
zxr10_9908
zxr10_9908-s
zxr10_9904-s_firmware
zxr10_9908-s_firmware
zxr10_9904_firmware

CWE

CWE-401

Missing Release of Memory after Effective Lifetime

{"id": "CVE-2021-21723", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2021-01-26T18:16:18.803", "references": [{"url": "http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1014424", "tags": ["Vendor Advisory"], "source": "psirt@zte.com.cn"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-401"}]}], "descriptions": [{"lang": "en", "value": "Some ZTE products have a DoS vulnerability. Due to the improper handling of memory release in some specific scenarios, a remote attacker can trigger the vulnerability by performing a series of operations, resulting in memory leak, which may eventually lead to device denial of service. This affects: ZXR10 9904, ZXR10 9908, ZXR10 9916, ZXR10 9904-S, ZXR10 9908-S; all versions up to V1.01.10.B12."}, {"lang": "es", "value": "Algunos productos ZTE presentan una vulnerabilidad de DoS. Debido al manejo inapropiado de la liberaci\u00f3n de la memoria en algunos escenarios espec\u00edficos, un atacante remoto puede desencadenar la vulnerabilidad al llevar a cabo una serie de operaciones, resultando en una p\u00e9rdida de memoria, que eventualmente puede conllevar a una denegaci\u00f3n de servicio del dispositivo. Esto afecta a: ZXR10 9904, ZXR10 9908, ZXR10 9916, ZXR10 9904-S, ZXR10 9908-S; todas las versiones hasta V1.01.10.B12"}], "lastModified": "2021-02-02T21:19:32.980", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:zte:zxr10_9904:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "D1747E7A-AB46-4D3C-BD82-659DAA58C43A"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:zte:zxr10_9904_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4944E354-3041-46F1-A74B-82CC750273D8", "versionEndIncluding": "v1.01.10.b12"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:zte:zxr10_9908:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "F83A1243-E923-4735-AC8D-875605530747"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:zte:zxr10_9908_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "722F3591-8D28-4D42-BF33-C67169F21BC3", "versionEndIncluding": "v1.01.10.b12"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:zte:zxr10_9916:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "E1DE8F4A-8A42-4C1C-82EA-85543F5E805D"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:zte:zxr10_9916_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2F35755D-7919-4CC5-B9CA-E88FD4483D4C", "versionEndIncluding": "v1.01.10.b12"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:zte:zxr10_9904-s:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "78D0B84F-0C58-41C3-8083-BD74E9D0118D"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:zte:zxr10_9904-s_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "85884147-B665-404A-8117-4519732F7C1D", "versionEndIncluding": "v1.01.10.b12"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:zte:zxr10_9908-s:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "813FBCBD-4900-49C7-B0E2-C75DD3788694"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:zte:zxr10_9908-s_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0602358F-5958-4172-AB42-8C77853A5347", "versionEndIncluding": "v1.01.10.b12"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "psirt@zte.com.cn"}