China Mobile Products Telnet Service Improper Authorization Vulnerability

A vulnerability allowing improper authorization in the Telnet service has been identified in several China Mobile products, including the P22g-CIac, GT3200-4G4P, GT3200-8G8P, ZXWT-MIG-P4G4V, and ZXWT-MIG-P8G8V, all versions prior to 20250305. This vulnerability allows attackers to enable the Telnet service on the local area network without authorization. Additionally, those who log in with default weak passwords can activate the Telnet service on the wide area network. The Telnet service uses hard-coded credentials for authentication, enabling attackers to escalate privileges to root by using the 'su' command after connecting via Telnet. This exploitation grants full control over the affected gateway devices, posing a significant risk to overall network security.

Impact

Exploitation of this vulnerability allows for unauthorized access to the Telnet service, with potential escalation of privileges to root, leading to full control over the affected device.

Reproduction

To reproduce this vulnerability, access a vulnerable China Mobile gateway device within the local network. Without any authorization, enable the Telnet service on the LAN side. If the device is accessed using a default weak password, the Telnet service can also be activated on the WAN side. Once connected to Telnet, use the 'su' command to escalate privileges to root, taking advantage of the hard-coded credentials.

Remediation

It is recommended to implement proper firewalling to restrict unauthorized access to the Telnet service.