KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 Insufficient Session Expiration
Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 Insufficient Session Expiration
Advisory ID: ZSL-2021-5646
Type: Local/Remote
Impact: Security Bypass
Risk: (3/5)
Release Date: 18.03.2021
Jaton Technology, Ltd. - http://www.jatontec.com
Neotel DOO - https://www.neotel.mk
JT3500V | 2.0.1B1064
JT3300V | 2.0.1B1047
AM6200M | 2.0.0B3210
AM6000N | 2.0.0B3042
AM5000W | 2.0.0B3037
AM4200M | 2.0.0B2996
AM4100V | 2.0.0B2988
AM3500MW | 2.0.0B1092
AM3410V | 2.0.0B1085
AM3300V | 2.0.0B1060
AM3100E | 2.0.0B981
AM3100V | 2.0.0B946
AM3000M | 2.0.0B21
KZ7621U | 2.0.0B14
KZ3220M | 2.0.0B04
KZ3120R | 2.0.0B01
Linux 2.6.36+ (mips)
Mediatek APSoC SDK v4.3.1.0
[05.02.2021] Contact with Neotel.
[07.02.2021] Contact with KZ Tech.
[08.02.2021] Contact with Jaton Tech.
[09.02.2021] Contact with Neotel.
[12.02.2021] Contact with MKD-CIRT.
[12.02.2021] MKD-CIRT opens a case, informs Neotel.
[17.03.2021] No response from the vendors.
[18.03.2021] Public security advisory released.
[2] https://exchange.xforce.ibmcloud.com/vulnerabilities/198471
[23.03.2021] - Added reference [1] and [2]
Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2021-5646
Type: Local/Remote
Impact: Security Bypass
Risk: (3/5)
Release Date: 18.03.2021
Summary
JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi & VoIP CPE product specially designed to enable quick and easy LTE fixed data service deployment for residential and SOHO customers. It provides high speed LAN, Wi-Fi and VoIP integrated services to end users who need both bandwidth and multi-media data service in residential homes or enterprises. The device has 2 Gigabit LAN ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing and firewall software for security. It provides an effective all-in-one solution to SOHO or residential customers. It can deliver up to 1Gbps max data throughput which can be very competitive to wired broadband access service.Description
The application suffers an insufficient session expiration. This occurs when the web application permits an attacker to reuse old session credentials or session IDs for authorization. Insufficient session expiration increases the device's exposure to attacks that can steal or reuse user's session identifiers.Vendor
KZ Broadband Technologies, Ltd. - http://www.kzbtech.comJaton Technology, Ltd. - http://www.jatontec.com
Neotel DOO - https://www.neotel.mk
Affected Version
Model | FirmwareJT3500V | 2.0.1B1064
JT3300V | 2.0.1B1047
AM6200M | 2.0.0B3210
AM6000N | 2.0.0B3042
AM5000W | 2.0.0B3037
AM4200M | 2.0.0B2996
AM4100V | 2.0.0B2988
AM3500MW | 2.0.0B1092
AM3410V | 2.0.0B1085
AM3300V | 2.0.0B1060
AM3100E | 2.0.0B981
AM3100V | 2.0.0B946
AM3000M | 2.0.0B21
KZ7621U | 2.0.0B14
KZ3220M | 2.0.0B04
KZ3120R | 2.0.0B01
Tested On
GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPENLinux 2.6.36+ (mips)
Mediatek APSoC SDK v4.3.1.0
Vendor Status
[03.02.2021] Vulnerability discovered.[05.02.2021] Contact with Neotel.
[07.02.2021] Contact with KZ Tech.
[08.02.2021] Contact with Jaton Tech.
[09.02.2021] Contact with Neotel.
[12.02.2021] Contact with MKD-CIRT.
[12.02.2021] MKD-CIRT opens a case, informs Neotel.
[17.03.2021] No response from the vendors.
[18.03.2021] Public security advisory released.
PoC
jt3500v_session.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://packetstormsecurity.com/files/161892/[2] https://exchange.xforce.ibmcloud.com/vulnerabilities/198471
Changelog
[18.03.2021] - Initial release[23.03.2021] - Added reference [1] and [2]
Contact
Zero Science LabWeb: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk