CVE-2017-10934

Vulnerability

All versions prior to V5.09.02.02T4 of the ZTE ZXIPTV-EPG product use the Java RMI service with the Apache Commons Collections (ACC) library, which introduces Java deserialization vulnerabilities [1]. An unauthenticated remote attacker can exploit this by sending a crafted RMI request to the target host [1].

Exploitation

The attacker does not require any prior authentication or network position beyond reachability of the RMI service [1]. By crafting a malicious serialized Java object that leverages known ACC gadget chains, the attacker sends it as an RMI request to the server [1]. The server's deserialization of untrusted data triggers arbitrary code execution in the context of the Java RMI process [1].

Impact

Successful exploitation results in remote code execution on the target host with the privileges of the Java RMI service [1]. This allows the attacker to compromise the confidentiality, integrity, and availability of the affected system [1].

Mitigation

ZTE released version V5.09.02.02T4 to fix the vulnerability [1]. Users should upgrade to this version or later [1]. If immediate upgrade is not possible, as a workaround, administrators should firewall all exposed ports used by the server, including the RMI registry port, from any untrusted IP address [1].