← Advisories

KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 Remote Code Execution (Backdoors)

Critical
Advisory ID
ZSL-2021-5639
Release Date
18 March 2021
Vendor
KZ Broadband Technologies, Ltd. - http://www.kzbtech.com, Jaton Technology, Ltd. - http://www.jatontec.com, Neotel DOO - https://www.neotel.mk
Affected Version
Model | Firmware, JT3500V | 2.0.1B1064, JT3300V | 2.0.1B1047, AM6200M | 2.0.0B3210, AM6000N | 2.0.0B3042, AM5000W | 2.0.0B3037, AM4200M | 2.0.0B2996, AM4100V | 2.0.0B2988, AM3500MW | 2.0.0B1092, AM3410V | 2.0.0B1085, AM3300V | 2.0.0B1060, AM3100E | 2.0.0B981, AM3100V | 2.0.0B946, AM3000M | 2.0.0B21, KZ7621U | 2.0.0B14, KZ3220M | 2.0.0B04, KZ3120R | 2.0.0B01
CVE
CVE-2021-28261
Tested On
GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN, Linux 2.6.36+ (mips), Mediatek APSoC SDK v4.3.1.0
Summary

JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi & VoIP CPE product specially designed to enable quick and easy LTE fixed data service deployment for residential and SOHO customers. It provides high speed LAN, Wi-Fi and VoIP integrated services to end users who need both bandwidth and multi-media data service in residential homes or enterprises. The device has 2 Gigabit LAN ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing and firewall software for security. It provides an effective all-in-one solution to SOHO or residential customers. It can deliver up to 1Gbps max data throughput which can be very competitive to wired broadband access service.

Description

The device has several backdoors and hidden pages that allow remote code exeuction, overwriting of the bootrom and enabling debug mode.

Proof of Concept
jt3500v_rce_bd.txtTXT
Disclosure Timeline
03.02.2021Vulnerability discovered.
05.02.2021Contact with Neotel.
07.02.2021Contact with KZ Tech.
08.02.2021Contact with Jaton Tech.
09.02.2021Contact with Neotel.
12.02.2021Contact with MKD-CIRT.
12.02.2021MKD-CIRT opens a case, informs Neotel.
17.03.2021No response from the vendors.
18.03.2021Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.exploit-db.com/exploits/49683
[2]https://packetstormsecurity.com/files/161885/
[3]https://exchange.xforce.ibmcloud.com/vulnerabilities/198532
[4]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28261
[5]https://nvd.nist.gov/vuln/detail/CVE-2021-28261
Changelog
18.03.2021Initial release
23.03.2021Added reference [1], [2] and [3]
19.06.2021Added reference [4] and [5]