CVE-2024-22064 (GCVE-0-2024-22064)
Vulnerability from cvelistv5
Published
2024-05-10 12:28
Modified
2024-08-01 22:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1051 - Initialization with Hard-Coded Network Resource Configuration Data
Summary
ZTE ZXUN-ePDG product, which serves as the network node of the VoWifi system, under by default configuration, uses a set of non-unique cryptographic keys during establishing a secure connection(IKE) with the mobile devices connecting over the internet . If the set of keys are leaked or cracked, the user session informations using the keys may be leaked.
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:zte:zxun-epdg:5.20.15:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zxun-epdg",
"vendor": "zte",
"versions": [
{
"status": "affected",
"version": "5.20.15"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-22064",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-10T14:50:14.318678Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:52:44.293Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:35:34.708Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1035524"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"64 bit"
],
"product": "ZXUN-ePDG",
"vendor": "ZTE",
"versions": [
{
"lessThanOrEqual": "V5.20.19",
"status": "affected",
"version": "V5.20.15",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eZTE ZXUN-ePDG product, which serves as the network node of the VoWifi system, under by default configuration, uses a set of non-unique cryptographic keys during establishing a secure connection(IKE) with the mobile devices connecting over the internet . If the set of keys are leaked or cracked, the user session informations using the keys may be leaked.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "ZTE ZXUN-ePDG product, which serves as the network node of the VoWifi system, under by default configuration, uses a set of non-unique cryptographic keys during establishing a secure connection(IKE) with the mobile devices connecting over the internet . If the set of keys are leaked or cracked, the user session informations using the keys may be leaked.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-12",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-12 Choosing Message Identifier"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1051",
"description": "CWE-1051: Initialization with Hard-Coded Network Resource Configuration Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-10T12:28:16.445Z",
"orgId": "6786b568-6808-4982-b61f-398b0d9679eb",
"shortName": "zte"
},
"references": [
{
"url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1035524"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eV5.20.20\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "V5.20.20\n\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Configuration error Vulnerability in ZTE ZXUN-ePDG",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6786b568-6808-4982-b61f-398b0d9679eb",
"assignerShortName": "zte",
"cveId": "CVE-2024-22064",
"datePublished": "2024-05-10T12:28:16.445Z",
"dateReserved": "2024-01-05T01:51:09.680Z",
"dateUpdated": "2024-08-01T22:35:34.708Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-22064\",\"sourceIdentifier\":\"psirt@zte.com.cn\",\"published\":\"2024-05-14T14:56:40.160\",\"lastModified\":\"2025-01-28T16:12:31.863\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"ZTE ZXUN-ePDG product, which serves as the network node of the VoWifi system, under by default configuration, uses a set of non-unique cryptographic keys during establishing a secure connection(IKE) with the mobile devices connecting over the internet . If the set of keys are leaked or cracked, the user session informations using the keys may be leaked.\\n\\n\"},{\"lang\":\"es\",\"value\":\"El producto ZTE ZXUN-ePDG, que sirve como nodo de red del sistema VoWifi, en su configuraci\u00f3n predeterminada, utiliza un conjunto de claves criptogr\u00e1ficas no \u00fanicas al establecer una conexi\u00f3n segura (IKE) con los dispositivos m\u00f3viles que se conectan a trav\u00e9s de Internet. Si el conjunto de claves se filtra o se descifra, es posible que se filtre la informaci\u00f3n de la sesi\u00f3n del usuario que utiliza las claves.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@zte.com.cn\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L\",\"baseScore\":8.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":5.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"psirt@zte.com.cn\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1051\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-665\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zte:zxun-epdg:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.20.20\",\"matchCriteriaId\":\"428020C1-365E-4AD1-AFF7-51D3916201BE\"}]}]}],\"references\":[{\"url\":\"https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1035524\",\"source\":\"psirt@zte.com.cn\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1035524\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1035524\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T22:35:34.708Z\"}}, {\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-22064\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-05-10T14:50:14.318678Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:zte:zxun-epdg:5.20.15:*:*:*:*:*:*:*\"], \"vendor\": \"zte\", \"product\": \"zxun-epdg\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.20.15\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-10T14:51:24.599Z\"}, \"title\": \"CISA ADP Vulnrichment\"}], \"cna\": {\"title\": \"Configuration error Vulnerability in ZTE ZXUN-ePDG\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"impacts\": [{\"capecId\": \"CAPEC-12\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-12 Choosing Message Identifier\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.3, \"attackVector\": \"ADJACENT_NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"ZTE\", \"product\": \"ZXUN-ePDG\", \"versions\": [{\"status\": \"affected\", \"version\": \"V5.20.15\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"V5.20.19\"}], \"platforms\": [\"64 bit\"], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"V5.20.20\\n\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eV5.20.20\u003c/p\u003e\u003cbr\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1035524\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"ZTE ZXUN-ePDG product, which serves as the network node of the VoWifi system, under by default configuration, uses a set of non-unique cryptographic keys during establishing a secure connection(IKE) with the mobile devices connecting over the internet . If the set of keys are leaked or cracked, the user session informations using the keys may be leaked.\\n\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eZTE ZXUN-ePDG product, which serves as the network node of the VoWifi system, under by default configuration, uses a set of non-unique cryptographic keys during establishing a secure connection(IKE) with the mobile devices connecting over the internet . If the set of keys are leaked or cracked, the user session informations using the keys may be leaked.\u003c/p\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1051\", \"description\": \"CWE-1051: Initialization with Hard-Coded Network Resource Configuration Data\"}]}], \"providerMetadata\": {\"orgId\": \"6786b568-6808-4982-b61f-398b0d9679eb\", \"shortName\": \"zte\", \"dateUpdated\": \"2024-05-10T12:28:16.445Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-22064\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-01T22:35:34.708Z\", \"dateReserved\": \"2024-01-05T01:51:09.680Z\", \"assignerOrgId\": \"6786b568-6808-4982-b61f-398b0d9679eb\", \"datePublished\": \"2024-05-10T12:28:16.445Z\", \"assignerShortName\": \"zte\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…