ZTE F460/F660 cable modems contain an unauthenticated backdoor.
ZTE F460/F660 cable modems contain an unauthenticated backdoor. The web_shell_cmd.gch script accepts unauthenticated commands that have administrative access to the device. It has been reported that the web_shell_cmd.gch script is sometimes accessible from the WAN interface making exploitation of this backdoor from the Internet possible in certain cases.
Additional details may be found in Rapid7's R7-2013-18 advisory.
An unauthenticated attacker can run commands with administrator level access on the device.
We are currently unaware of a practical solution to this problem. Please consider the following workaround.
Remove Affected Script
ZTE Corporation Affected
Updated: March 19, 2014
Statement Date: March 19, 2014
'The web_shell_cmd.gch is actually a part of the home gateway requirements for device maintenance. It allows remote maintenance on the device by after-sales engineers for the scenario when the home gateway telnet function is disabled. During the commercial launch ZTE has found this requirement may cause security risk and consequently disabled this web_shell_cmd.gch in the firmware after 31st Jul.2012. This risk therefore only existed in the firmware before 31st Jul.2012, including F460 V2.30 and F660 V2.30.
On 27th May 2013 ZTE released an official firmware (F460 V2.30, F660 V2.30) fixing the web_shell_cmd.gch risk on ZTE’s support website and informed ZTE Chinese domestic after-sales departments because these 2 risky products are used only for Chinese telecommunications operators. The after-sales departments have contacted the customers about how and when to upgrade the risky firmware.
Looking at the timeline of all events ZTE believes that the backdoor issue was found by Rapid7 during the upgrade phase.'
We are not aware of further vendor information regarding this vulnerability.
Thanks to Rapid7 for reporting this vulnerability.
This document was written by Jared Allar.
|Date First Published:||2014-03-04|
|Date Last Updated:||2014-03-19 14:30 UTC|