Updated:  March 19, 2014

Statement Date:   March 19, 2014

Status

Affected

Vendor Statement

'The web_shell_cmd.gch is actually a part of the home gateway requirements for device maintenance. It allows remote maintenance on the device by after-sales engineers for the scenario when the home gateway telnet function is disabled. During the commercial launch ZTE has found this requirement may cause security risk and consequently disabled this web_shell_cmd.gch in the firmware after 31st Jul.2012. This risk therefore only existed in the firmware before 31st Jul.2012, including F460 V2.30 and F660 V2.30. On 27th May 2013 ZTE released an official firmware (F460 V2.30, F660 V2.30) fixing the web_shell_cmd.gch risk on ZTE’s support website and informed ZTE Chinese domestic after-sales departments because these 2 risky products are used only for Chinese telecommunications operators. The after-sales departments have contacted the customers about how and when to upgrade the risky firmware. Looking at the timeline of all events ZTE believes that the backdoor issue was found by Rapid7 during the upgrade phase.'

Vendor Information

We are not aware of further vendor information regarding this vulnerability.