Some Vulnerabilities in ZTE ZXCLOUD iRAI

Original Release Date: January 3, 2024

 

Vulnerability ID

Vulnerability1:CVE ID:CVE-2023-41779            CNNVD ID:CNNVD-2023-01185081

Vulnerability2:CVE ID:CVE-2023-41780             CNNVD ID:CNNVD-2023-86129980

Vulnerability3:CVE ID:CVE-2023-41776             CNNVD ID:CNNVD-2023-93981254

Vulnerability4:CVE ID:CVE-2023-41783             CNNVD ID:CNNVD-2023-35807263

 

CVSS 3.1 Base Score

CVE-2023-41779:4.4 MediumAV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)

CVE-2023-41780:6.4 MediumAV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)

CVE-2023-41776:6.7 MediumAV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CVE-2023-41783:4.3 Medium (AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

 

 

Description

CVE-2023-41779:There is an illegal memory access vulnerability of ZTE's ZXCLOUD iRAI.When the vulnerability is exploited by attackers with the common user permission, the physical machine will be crashed.

CVE-2023-41780:There is an unsafe DLL loading vulnerability in ZTE ZXCLOUD iRAI.Due to the program failed to adequately validate the user's input, attackers could exploit this vulnerability to escalate local privileges.

CVE-2023-41776:There is a local privilege escalation vulnerability of ZTE's ZXCLOUD iRAI.Attackers with regular user privileges can create a fake process and to escalate local privileges.

CVE-2023-41783:There is a command injection vulnerability of ZTE's ZXCLOUD iRAI.Due to the program failed to adequately validate the user's input, attackers could exploit this vulnerability to escalate local privileges.

 

Affected Products and Fixes

Product Name

CVE ID

Affected Version

Resolved Version

ZXCLOUD iRAI

CVE-2023-41779

All versions up to 7.23.21

7.23.32

CVE-2023-41780

All versions up to 7.23.23

CVE-2023-41776

All versions up to 7.23.31

CVE-2023-41783

All versions up to 7.22.11P2

 

Acknowledgement

ZTE thanks Zhao RunZhi for paying attention to our products and cooperating with us to disclose vulnerability.

 

 

Update Records

January 3, 2024, initial.

 

 Version Update Method

A device that supports automatic update can receive a pop-up update message. You can upgrade the device accordingly. If no update message is received, contact your service provider to obtain the update information. 

 

Global Customer Support Center

http://support.zte.com.cn/support/web/Contact.aspx?_langType=en

 

ZTE PSIRT

https://www.zte.com.cn/global/cybersecurity/ztepsirt.html