CVE-2024-22064 - Vulnerability Details - OpenCVE

ZTE ZXUN-ePDG product, which serves as the network node of the VoWifi system, under by default configuration, uses a set of non-unique cryptographic keys during establishing a secure connection(IKE) with the mobile devices connecting over the internet . If the set of keys are leaked or cracked, the user session informations using the keys may be leaked.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Zte	Zxun-epdg

Configuration 1 [-]

cpe:2.3:a:zte:zxun-epdg:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1035524

History

Tue, 28 Jan 2025 16:30:00 +0000

Type	Values Removed	Values Added
CPEs	cpe:2.3:h:zte:zxun-epdg:-:::::::* cpe:2.3:o:zte:zxun-epdg_firmware::::::::	cpe:2.3:a:zte:zxun-epdg::::::::
Vendors & Products	Zte zxun-epdg Firmware

Mon, 27 Jan 2025 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Zte Zte zxun-epdg Zte zxun-epdg Firmware
Weaknesses		CWE-665
CPEs		cpe:2.3:h:zte:zxun-epdg:-:::::::* cpe:2.3:o:zte:zxun-epdg_firmware::::::::
Vendors & Products		Zte Zte zxun-epdg Zte zxun-epdg Firmware

MITRE

Status: PUBLISHED

Assigner: zte

Published: 2024-05-10T12:28:16.445Z

Updated: 2024-08-01T22:35:34.708Z

Reserved: 2024-01-05T01:51:09.680Z

Link: CVE-2024-22064

Vulnrichment

Updated: 2024-08-01T22:35:34.708Z

NVD

Status : Analyzed

Published: 2024-05-14T14:56:40.160

Modified: 2025-01-28T16:12:31.863

Link: CVE-2024-22064

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-22064", "assignerOrgId": "6786b568-6808-4982-b61f-398b0d9679eb", "state": "PUBLISHED", "assignerShortName": "zte", "dateReserved": "2024-01-05T01:51:09.680Z", "datePublished": "2024-05-10T12:28:16.445Z", "dateUpdated": "2024-08-01T22:35:34.708Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["64 bit"], "product": "ZXUN-ePDG", "vendor": "ZTE", "versions": [{"lessThanOrEqual": "V5.20.19", "status": "affected", "version": "V5.20.15", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>ZTE ZXUN-ePDG product, which serves as the network node of the VoWifi system, under by default configuration, uses a set of non-unique cryptographic keys during establishing a secure connection(IKE) with the mobile devices connecting over the internet . If the set of keys are leaked or cracked, the user session informations using the keys may be leaked.</p><br>"}], "value": "ZTE ZXUN-ePDG product, which serves as the network node of the VoWifi system, under by default configuration, uses a set of non-unique cryptographic keys during establishing a secure connection(IKE) with the mobile devices connecting over the internet . If the set of keys are leaked or cracked, the user session informations using the keys may be leaked.\n\n"}], "impacts": [{"capecId": "CAPEC-12", "descriptions": [{"lang": "en", "value": "CAPEC-12 Choosing Message Identifier"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1051", "description": "CWE-1051: Initialization with Hard-Coded Network Resource Configuration Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6786b568-6808-4982-b61f-398b0d9679eb", "shortName": "zte", "dateUpdated": "2024-05-10T12:28:16.445Z"}, "references": [{"url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1035524"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>V5.20.20</p><br>"}], "value": "V5.20.20\n\n"}], "source": {"discovery": "EXTERNAL"}, "title": "Configuration error Vulnerability in ZTE ZXUN-ePDG", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-22064", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-10T14:50:14.318678Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:zte:zxun-epdg:5.20.15:*:*:*:*:*:*:*"], "vendor": "zte", "product": "zxun-epdg", "versions": [{"status": "affected", "version": "5.20.15"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:52:44.293Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:35:34.708Z"}, "title": "CVE Program Container", "references": [{"url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1035524", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1035524", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:35:34.708Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-22064", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-10T14:50:14.318678Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:zte:zxun-epdg:5.20.15:*:*:*:*:*:*:*"], "vendor": "zte", "product": "zxun-epdg", "versions": [{"status": "affected", "version": "5.20.15"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-10T14:51:24.599Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Configuration error Vulnerability in ZTE ZXUN-ePDG", "source": {"discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-12", "descriptions": [{"lang": "en", "value": "CAPEC-12 Choosing Message Identifier"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ZTE", "product": "ZXUN-ePDG", "versions": [{"status": "affected", "version": "V5.20.15", "versionType": "custom", "lessThanOrEqual": "V5.20.19"}], "platforms": ["64 bit"], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "V5.20.20\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>V5.20.20</p><br>", "base64": false}]}], "references": [{"url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1035524"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "ZTE ZXUN-ePDG product, which serves as the network node of the VoWifi system, under by default configuration, uses a set of non-unique cryptographic keys during establishing a secure connection(IKE) with the mobile devices connecting over the internet . If the set of keys are leaked or cracked, the user session informations using the keys may be leaked.\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>ZTE ZXUN-ePDG product, which serves as the network node of the VoWifi system, under by default configuration, uses a set of non-unique cryptographic keys during establishing a secure connection(IKE) with the mobile devices connecting over the internet . If the set of keys are leaked or cracked, the user session informations using the keys may be leaked.</p><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1051", "description": "CWE-1051: Initialization with Hard-Coded Network Resource Configuration Data"}]}], "providerMetadata": {"orgId": "6786b568-6808-4982-b61f-398b0d9679eb", "shortName": "zte", "dateUpdated": "2024-05-10T12:28:16.445Z"}}}, "cveMetadata": {"cveId": "CVE-2024-22064", "state": "PUBLISHED", "dateUpdated": "2024-08-01T22:35:34.708Z", "dateReserved": "2024-01-05T01:51:09.680Z", "assignerOrgId": "6786b568-6808-4982-b61f-398b0d9679eb", "datePublished": "2024-05-10T12:28:16.445Z", "assignerShortName": "zte"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zte:zxun-epdg:*:*:*:*:*:*:*:*", "matchCriteriaId": "428020C1-365E-4AD1-AFF7-51D3916201BE", "versionEndExcluding": "5.20.20", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ZTE ZXUN-ePDG product, which serves as the network node of the VoWifi system, under by default configuration, uses a set of non-unique cryptographic keys during establishing a secure connection(IKE) with the mobile devices connecting over the internet . If the set of keys are leaked or cracked, the user session informations using the keys may be leaked.\n\n"}, {"lang": "es", "value": "El producto ZTE ZXUN-ePDG, que sirve como nodo de red del sistema VoWifi, en su configuraci\u00f3n predeterminada, utiliza un conjunto de claves criptogr\u00e1ficas no \u00fanicas al establecer una conexi\u00f3n segura (IKE) con los dispositivos m\u00f3viles que se conectan a trav\u00e9s de Internet. Si el conjunto de claves se filtra o se descifra, es posible que se filtre la informaci\u00f3n de la sesi\u00f3n del usuario que utiliza las claves."}], "id": "CVE-2024-22064", "lastModified": "2025-01-28T16:12:31.863", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "psirt@zte.com.cn", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-05-14T14:56:40.160", "references": [{"source": "psirt@zte.com.cn", "tags": ["Vendor Advisory"], "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1035524"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1035524"}], "sourceIdentifier": "psirt@zte.com.cn", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1051"}], "source": "psirt@zte.com.cn", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-665"}], "source": "nvd@nist.gov", "type": "Primary"}]}