CVE-2018-7356

Vulnerability

All versions up to V3.03.10.B23P2 of the ZTE ZXR10 8905E product reuse TCP Initial Sequence Numbers (ISNs). This makes the ISN easily predictable and allows a remote attacker to spoof TCP connections. The vulnerability is present in the switch's TCP stack, and no special configuration is required for the code path to be reachable. Affected versions include all firmware releases prior to the V3.03.20 series [1].

Exploitation

An attacker needs network access to communicate with an affected ZXR10 8905E device. No authentication is required. The attack is classified as high complexity (AV:N/AC:H) because the attacker must be able to observe or infer the reused ISN pattern with sufficient accuracy to inject spoofed TCP segments into an existing session or establish a new session with a spoofed source. A concrete sequence would involve passively sampling TCP connections to the device to identify reused ISN values, then crafting a spoofed TCP handshake or injecting data into an ongoing connection [1].

Impact

Successful exploitation allows the attacker to spoof TCP connections to or from the device. The CVSS 3.0 impact scores are low for confidentiality, integrity, and availability (C:L/I:L/A:L). The attacker could gain the ability to inject or redirect network traffic, potentially leading to limited information disclosure or manipulation of data in transit, but not full compromise of the device or network [1].

Mitigation

ZTE has released fixed firmware versions in the V3.03.20 series and above. The official security bulletin was published on 31 October 2018 and updated on 2 November 2018. Users should upgrade affected devices to V3.03.20 or later. No workaround is documented in the available references; the only remediation is applying the firmware update [1].