CVE-2021-21724

Vulnerability

A memory leak vulnerability exists in ZTE ZXR10 8900E switches due to improper handling of memory release in certain scenarios. Affected versions include all versions up to V3.03.20R2B30P1. The vulnerability is triggered when an attacker with local device permissions repeatedly attenuates the optical signal, causing the device to leak memory and eventually leading to abnormal service [1].

Exploitation

To exploit this vulnerability, an attacker must have local device permissions on the affected ZXR10 8900E switch. The attack vector is local (AV:L), requires high privileges (PR:H), and does not require user interaction (UI:N). The attacker performs the attack by repeatedly attenuating the optical signal, which triggers the improper memory release handling and results in memory leak over time [1].

Impact

Successful exploitation leads to a denial-of-service (DoS) condition due to memory exhaustion. The impact is solely on availability (A:H), with no impact on confidentiality or integrity. The CVSS v3.1 base score is 4.4 (Medium). The service becomes abnormal and may fail as memory is progressively leaked [1].

Mitigation

ZTE has released a fixed version V3.03.20R2B30P1 to resolve the vulnerability. Users should upgrade to this version or later. No workarounds are described in the available references. Affected users can contact ZTE support for assistance [1].