KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 Hard-coded Credentials Shell Access
Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 Hard-coded Credentials Shell Access
Advisory ID: ZSL-2021-5637
Type: Local/Remote
Impact: System Access, DoS
Risk: (5/5)
Release Date: 18.03.2021
Jaton Technology, Ltd. - http://www.jatontec.com
Neotel DOO - https://www.neotel.mk
JT3500V | 2.0.1B1064
JT3300V | 2.0.1B1047
AM6200M | 2.0.0B3210
AM6000N | 2.0.0B3042
AM5000W | 2.0.0B3037
AM4200M | 2.0.0B2996
AM4100V | 2.0.0B2988
AM3500MW | 2.0.0B1092
AM3410V | 2.0.0B1085
AM3300V | 2.0.0B1060
AM3100E | 2.0.0B981
AM3100V | 2.0.0B946
AM3000M | 2.0.0B21
KZ7621U | 2.0.0B14
KZ3220M | 2.0.0B04
KZ3120R | 2.0.0B01
Linux 2.6.36+ (mips)
Mediatek APSoC SDK v4.3.1.0
[05.02.2021] Contact with Neotel.
[07.02.2021] Contact with KZ Tech.
[08.02.2021] Contact with Jaton Tech.
[09.02.2021] Contact with Neotel.
[12.02.2021] Contact with MKD-CIRT.
[12.02.2021] MKD-CIRT opens a case, informs Neotel.
[17.03.2021] No response from the vendors.
[18.03.2021] Public security advisory released.
[2] https://packetstormsecurity.com/files/161883
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/198475
[4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28259
[5] https://nvd.nist.gov/vuln/detail/CVE-2021-28259
[23.03.2021] - Added reference [1], [2] and [3]
[19.06.2021] - Added reference [4] and [5]
Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2021-5637
Type: Local/Remote
Impact: System Access, DoS
Risk: (5/5)
Release Date: 18.03.2021
Summary
JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi & VoIP CPE product specially designed to enable quick and easy LTE fixed data service deployment for residential and SOHO customers. It provides high speed LAN, Wi-Fi and VoIP integrated services to end users who need both bandwidth and multi-media data service in residential homes or enterprises. The device has 2 Gigabit LAN ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing and firewall software for security. It provides an effective all-in-one solution to SOHO or residential customers. It can deliver up to 1Gbps max data throughput which can be very competitive to wired broadband access service.Description
The device utilizes hard-coded credentials within its Linux distribution image. These sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the router.Vendor
KZ Broadband Technologies, Ltd. - http://www.kzbtech.comJaton Technology, Ltd. - http://www.jatontec.com
Neotel DOO - https://www.neotel.mk
Affected Version
Model | FirmwareJT3500V | 2.0.1B1064
JT3300V | 2.0.1B1047
AM6200M | 2.0.0B3210
AM6000N | 2.0.0B3042
AM5000W | 2.0.0B3037
AM4200M | 2.0.0B2996
AM4100V | 2.0.0B2988
AM3500MW | 2.0.0B1092
AM3410V | 2.0.0B1085
AM3300V | 2.0.0B1060
AM3100E | 2.0.0B981
AM3100V | 2.0.0B946
AM3000M | 2.0.0B21
KZ7621U | 2.0.0B14
KZ3220M | 2.0.0B04
KZ3120R | 2.0.0B01
Tested On
GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPENLinux 2.6.36+ (mips)
Mediatek APSoC SDK v4.3.1.0
Vendor Status
[03.02.2021] Vulnerability discovered.[05.02.2021] Contact with Neotel.
[07.02.2021] Contact with KZ Tech.
[08.02.2021] Contact with Jaton Tech.
[09.02.2021] Contact with Neotel.
[12.02.2021] Contact with MKD-CIRT.
[12.02.2021] MKD-CIRT opens a case, informs Neotel.
[17.03.2021] No response from the vendors.
[18.03.2021] Public security advisory released.
PoC
jt3500v_hardcoded.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://www.exploit-db.com/exploits/49682[2] https://packetstormsecurity.com/files/161883
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/198475
[4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28259
[5] https://nvd.nist.gov/vuln/detail/CVE-2021-28259
Changelog
[18.03.2021] - Initial release[23.03.2021] - Added reference [1], [2] and [3]
[19.06.2021] - Added reference [4] and [5]
Contact
Zero Science LabWeb: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
