SBA Security Advisory – ZTE ZXUN-ePDG – Use of non-unique cryptographic keys under default configuration (CVE-2024-22064)

July 31, 2024

Vulnerability Overview

ZTE ZXUN-ePDG product, which serves as the network node of the VoWiFi system, under by default configuration, uses a set of non-unique cryptographic keys during establishing a secure connection (IKE) with the mobile devices connecting over the internet. If the set of keys are leaked or cracked, the user session informations using the keys may be leaked.

Affected Version: V5.20.19 and ealier

Type of Vulnerability: Global Key Reusage
Fixed in Version: V5.20.20
CVE ID: CVE-2024-22064
CVSS Vector: CVSS v3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
CVSS Base Score: 8.3 (High)

Recommended Countermeasure

We recommend to update ZTE ZXUN-ePDG to version V5.20.20 or later. For further details, see full paper.

Links

Full Paper
ZTE Configuration Error Vulnerability in ZTE ZXUN-ePDG
Github Repository

Credits

Gabriel Gegenhuber (SBA Research, Universität Wien)
Florian Holzbauer (Universität Wien)
Philipp Frenzel (SBA Research)
Edgar Weippl (Universität Wien, CDL-SQI)
Adrian Dabrowski (CISPA)

Name	SBA Research Cookie
Provider	SBA Research
Purpose	Saves the settings of the visitors selected in the cookie box.
Cookie name	sba-research-cookie
Cookie runtime	1 year

Name	YouTube
Provider	YouTube
Purpose	Used to unblock YouTube content.
Privacy policy	https://policies.google.com/privacy
Host(s)	google.com
Cookie name	NID
Cookie runtime	6 months

Name	Vimeo
Provider	Vimeo
Purpose	Used to unblock Vimeo content.
Privacy policy	https://vimeo.com/privacy
Host(s)	player.vimeo.com
Cookie name	vuid
Cookie runtime	2 years

News