Configuration error Vulnerability in ZTE ZXUN-ePDG

Vulnerability

ZTE ZXUN-ePDG, the network node of the VoWifi system, uses a set of non-unique cryptographic keys by default when establishing an IKE (Internet Key Exchange) secure connection with mobile devices. Affected versions are V5.20.19 and earlier [1]. This means the same keys are reused across multiple sessions or devices, making them a single point of failure.

Exploitation

An attacker on an adjacent network (CVSS Attack Vector: Adjacent) with no authentication or user interaction can intercept the IKE handshake. If the non-unique keys are leaked or cracked, the attacker can decrypt user session information. The precise mechanism involves obtaining the static keys and using them to decrypt captured traffic [1].

Impact

Successful exploitation leads to leakage of user session information, including potentially sensitive data transmitted over the VoWifi connection. The impact on confidentiality and integrity is high, while availability is low. Due to key non-uniqueness, multiple users' sessions are compromised simultaneously. No privileged access is required [1].

Mitigation

The vulnerability is fixed in ZXUN-ePDG version V5.20.20 [1]. ZTE has notified affected customers and recommends upgrading to the fixed version. No workarounds are documented, and the vulnerability is not listed in the Known Exploited Vulnerabilities (KEV) catalog as of the publication date.