Cisco Talos recently discovered multiple vulnerabilities in the ZTE MF971R LTE portable router.

The MF971R is a portable router with Wi-Fi support and works as an LTE/GSM modem. An attacker could exploit all these vulnerabilities by sending a specially crafted HTTP request to the targeted device.

TALOS-2021-1320 and TALOS-2021-1321 are stack-based buffer overflow vulnerabilities. An attacker could exploit these issues to execute arbitrary remote code on the targeted device. As part of these exploits, the attacker needs to complete a referrer bypass, which is outlined in TALOS-2021-1317.

TALOS-2021-1318 and TALOS-2021-1319 are pre-authentication, cross-site scripting vulnerabilities that an attacker could use to execute arbitrary JavaScript in the victim’s browser in a context of a router web panel. In this case, an attacker would need to trick the user into opening an attacker-controlled URL that hosts the malicious HTTP request.

An adversary could also exploit pre-authentication TALOS-2021-1316 to cause a configuration file entry overwrite, which in certain cases, could allow the attacker to fully lock down the device.

TALOS-2021-1313 is a CRLF injection vulnerability in the router. Talos would like to specifically call out a potential attack that's a combination of CVE-2021-21748 (pre-authentication stack-based buffer overflow) +andCVE-2021-21745 (CSRF/Referer check bypass) which, together, allows an attacker to trigger arbitrary remote code on the vulnerable device without any authentication. Users would need to visit a malicious website to trigger this vulnerability.

Remote shell on MF971R after the exploitation of CVE-2021-21748 and CVE-2021-21745.

Cisco Talos worked with ZTE to ensure that these issues are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: ZTE Corp. MF971R router, versions wa_inner_version:BD_LVWRGBMF971RV1.0.0B01, wa_inner_version:BD_PLKPLMF971R1V1.0.0B06, zte_topsw_goahead - MD5 B2176B393A97B5BA13791FC591D2BE3F and zte_topsw_goahead - MD5 bf5ada32c9e8c815bfd51bfb5b8391cb. Talos tested and confirmed these versions of the MF971R router could be exploited by this vulnerability.

The following SNORTⓇ rules will detect exploitation attempts against this vulnerability: 57749 - 57752, 57798, 57799, 57802, 57803, 57829. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.