CVE-2021-21745
published 2021-10-20CVE-2021-21745: ZTE MF971R product has a Referer authentication bypass vulnerability. Without CSRF verification, an attackercould use this vulnerability to perform illegal…
PriorityP277medium4.3CVSS 3.1
AVNACLPRNUIRSUCNILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
55.71%
98.9th percentile
ZTE MF971R product has a Referer authentication bypass vulnerability. Without CSRF verification, an attackercould use this vulnerability to perform illegal authorization operations by sending a request to the user to click.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zte | mf971r_firmware | — | — |
| zte | mf971r_firmware | — | — |
| zte | mf971r_firmware | — | — |
| zte | mf971r_firmware | — | — |
| zte | mf971r_firmware | — | — |
| zte | mf971r_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/goform/goform_get_cmd_process?cmd=psw_fail_num_str
otherReferer: http://interact.sh/127.0.0.1.html
snort↗
57749, 57750, 57751, 57752, 57798, 57799, 57802, 57803, 57829
- →Exploit traffic targets the endpoint GET /goform/goform_get_cmd_process?cmd=psw_fail_num_str with a spoofed/crafted Referer header to bypass CSRF/Referer authentication checks on ZTE MF971R routers.
- →A successful exploit response contains the JSON key 'psw_fail_num_str' with a numeric value; match regex psw_fail_num_str":"[0-9] in the HTTP response body with status 200.
- →CVE-2021-21745 is chained with CVE-2021-21748 (pre-auth stack-based buffer overflow) to achieve unauthenticated RCE; detection of the Referer bypass alone may indicate a staged attack leading to full device compromise. ↗
- →Exploitation requires the victim to visit a malicious website; monitor for drive-by HTTP requests originating from user browsers targeting the router's /goform/ endpoint. ↗
- ·Vulnerable firmware versions are specifically identified; only these versions are confirmed exploitable by Talos testing. ↗
- ·Snort rules may change over time; always consult Firepower Management Center or Snort.org for the most current rule definitions. ↗
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-38xm-h4pj-7w7h: ZTE MF971R product has a Referer authentication bypass vulnerability
ghsa_unreviewed·2022-05-24
CVE-2021-21745 [MEDIUM] CWE-287 GHSA-38xm-h4pj-7w7h: ZTE MF971R product has a Referer authentication bypass vulnerability
ZTE MF971R product has a Referer authentication bypass vulnerability. Without CSRF verification, an attackercould use this vulnerability to perform illegal authorization operations by sending a request to the user to click.
VulnCheck
ZTE mf971r_firmware Cross-Site Request Forgery (CSRF)
vulncheck·2021·CVSS 4.3
CVE-2021-21745 [MEDIUM] ZTE mf971r_firmware Cross-Site Request Forgery (CSRF)
ZTE mf971r_firmware Cross-Site Request Forgery (CSRF)
ZTE MF971R product has a Referer authentication bypass vulnerability. Without CSRF verification, an attackercould use this vulnerability to perform illegal authorization operations by sending a request to the user to click.
Affected: ZTE mf971r_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-2021-21745; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-23&host_type=src&vulnerability=cve-2021-21745; https://dashboard.shadowserver.org/statis
No detection rules found.
Nuclei
ZTE MF971R - Referer authentication bypass
nuclei·CVSS 4.3
CVE-2021-21745 [MEDIUM] ZTE MF971R - Referer authentication bypass
ZTE MF971R - Referer authentication bypass
ZTE MF971R product has a Referer authentication bypass vulnerability. Without CSRF verification, an attackercould
use this vulnerability to perform illegal authorization operations by sending a request to the user to click.
Template:
id: CVE-2021-21745
info:
name: ZTE MF971R - Referer authentication bypass
author: gy741
severity: medium
description: |
ZTE MF971R product has a Referer authentication bypass vulnerability. Without CSRF verification, an attackercould
use this vulnerability to perform illegal authorization operations by sending a request to the user to click.
impact: |
An attacker can bypass authentication and gain unauthorized access to the router.
remediation: |
Apply the latest firmware update provided by ZTE to fix the authenti
Talos
The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter
blogs_talos·2023-08-02
The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter
## The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter
Since the discovery of the widespread VPNFilter malware in 2018 , Cisco Talos researchers have been researching vulnerabilities in small and home office (SOHO) and industrial routers.
During that research, Talos has worked with vendors to report and mitigate these vulnerabilities, totaling 141 advisories covering 289 CVEs across multiple routers.
Talos is highlighting some of the major issues our researchers discovered over the past several years, including vulnerabilities that an attacker could mostly directly access or those an adversary could chain together to gain elevated access to the devices.
There are several Snort rules that can detect possible exploitation of the vulnerabilitie
Talos
The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter
blogs_talos·2023-08-02
The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter
- Since the discovery of the widespread VPNFilter malware in 2018, Cisco Talos researchers have been researching vulnerabilities in small and home office (SOHO) and industrial routers.
- During that research, Talos has worked with vendors to report and mitigate these vulnerabilities, totaling 141 advisories covering 289 CVEs across multiple routers.
- Talos is highlighting some of the major issues our researchers discovered over the past several years, including vulnerabilities that an attacker could mostly directly access or those an adversary could chain together to gain elevated access to the devices.
- There are several Snort rules that can detect possible exploitation of the vulnerabilities included in this post.
Small office/home office (SOHO) routers and small-scale industrial rout
Talos
Deep dive: Vulnerabilities in ZTE router could lead to complete attacker control of the device
blogs_talos·2022-03-07·CVSS 4.3
CVE-2021-21748 [MEDIUM] Deep dive: Vulnerabilities in ZTE router could lead to complete attacker control of the device
## Deep dive: Vulnerabilities in ZTE router could lead to complete attacker control of the device
Cisco Talos’ vulnerability research team disclosed multiple vulnerabilities in the ZTE MF971R wireless hotspot and router in October. Several months removed from that disclosure and ZTE’s patch, we decided to take an even closer look at two of these vulnerabilities — CVE-2021-21748 and CVE-2021-21745 — to show how they could be chained together by an attacker to completely take over a device.
In our latest research paper , Marcin Noga, the researcher who discovered these vulnerabilities, walks through the process of how he discovered these vulnerabilities and shows the worst-case scenario for a user should an attacker choose to exploit these issues. You can read the full paper by clicking on
Talos
Deep dive: Vulnerabilities in ZTE router could lead to complete attacker control of the device
blogs_talos·2022-03-07·CVSS 4.3
CVE-2021-21748 [MEDIUM] Deep dive: Vulnerabilities in ZTE router could lead to complete attacker control of the device
Cisco Talos’ vulnerability research team disclosed multiple vulnerabilities in the ZTE MF971R wireless hotspot and router in October. Several months removed from that disclosure and ZTE’s patch, we decided to take an even closer look at two of these vulnerabilities — CVE-2021-21748 and CVE-2021-21745 — to show how they could be chained together by an attacker to completely take over a device.
In our latest research paper, Marcin Noga, the researcher who discovered these vulnerabilities, walks through the process of how he discovered these vulnerabilities and shows the worst-case scenario for a user should an attacker choose to exploit these issues. You can read the full paper by clicking on the button to the right, and watch the video above to see a snippet of this attack vector.
Talos
Vulnerability Spotlight: Multiple vulnerabilities in ZTE MF971R LTE router
blogs_talos·2021-10-18·CVSS 4.3
[MEDIUM] Vulnerability Spotlight: Multiple vulnerabilities in ZTE MF971R LTE router
Cisco Talos recently discovered multiple vulnerabilities in the ZTE MF971R LTE portable router.
The MF971R is a portable router with Wi-Fi support and works as an LTE/GSM modem. An attacker could exploit all these vulnerabilities by sending a specially crafted HTTP request to the targeted device.
TALOS-2021-1320 and TALOS-2021-1321 are stack-based buffer overflow vulnerabilities. An attacker could exploit these issues to execute arbitrary remote code on the targeted device. As part of these exploits, the attacker needs to complete a referrer bypass, which is outlined in TALOS-2021-1317.
TALOS-2021-1318 and TALOS-2021-1319 are pre-authentication, cross-site scripting vulnerabilities that an attacker could use to execute arbitrary JavaScript in the victim’s browser in a context of a route
Talos
Vulnerability Spotlight: Multiple vulnerabilities in ZTE MF971R LTE router
blogs_talos·2021-10-18·CVSS 4.3
[MEDIUM] Vulnerability Spotlight: Multiple vulnerabilities in ZTE MF971R LTE router
## Vulnerability Spotlight: Multiple vulnerabilities in ZTE MF971R LTE router
Cisco Talos recently discovered multiple vulnerabilities in the ZTE MF971R LTE portable router.
The MF971R is a portable router with Wi-Fi support and works as an LTE/GSM modem. An attacker could exploit all these vulnerabilities by sending a specially crafted HTTP request to the targeted device.
TALOS-2021-1320 and TALOS-2021-1321 are stack-based buffer overflow vulnerabilities. An attacker could exploit these issues to execute arbitrary remote code on the targeted device. As part of these exploits, the attacker needs to complete a referrer bypass, which is outlined in TALOS-2021-1317 .
TALOS-2021-1318 and TALOS-2021-1319 are pre-authentication, cross-site scripting vulnerabilities that an attacker could use
Greynoiseio
NoiseLetter April 2024
blogs_greynoiseio
NoiseLetter April 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2021-10-20
Published
Exploited in the wild