search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

ZTE F460/F660 cable modems contain an unauthenticated backdoor

Vulnerability Note VU#600724

Original Release Date: 2014-03-04 | Last Revised: 2014-03-19

Overview

ZTE F460/F660 cable modems contain an unauthenticated backdoor.

Description

ZTE F460/F660 cable modems contain an unauthenticated backdoor. The web_shell_cmd.gch script accepts unauthenticated commands that have administrative access to the device. It has been reported that the web_shell_cmd.gch script is sometimes accessible from the WAN interface making exploitation of this backdoor from the Internet possible in certain cases.

Additional details may be found in Rapid7's R7-2013-18 advisory.

ZTE has provided a statement about this vulnerability.

Impact

An unauthenticated attacker can run commands with administrator level access on the device.

Solution

We are currently unaware of a practical solution to this problem. Please consider the following workaround.

Remove Affected Script

Users can log into the device and manually delete the web_shell_cmd.gch script.

Vendor Information

600724
 
Expand all

ZTE Corporation Affected

Updated:  March 19, 2014

Statement Date:   March 19, 2014

Status

Affected

Vendor Statement

'The web_shell_cmd.gch is actually a part of the home gateway requirements for device maintenance. It allows remote maintenance on the device by after-sales engineers for the scenario when the home gateway telnet function is disabled. During the commercial launch ZTE has found this requirement may cause security risk and consequently disabled this web_shell_cmd.gch in the firmware after 31st Jul.2012. This risk therefore only existed in the firmware before 31st Jul.2012, including F460 V2.30 and F660 V2.30.

On 27th May 2013 ZTE released an official firmware (F460 V2.30, F660 V2.30) fixing the web_shell_cmd.gch risk on ZTE’s support website and informed ZTE Chinese domestic after-sales departments because these 2 risky products are used only for Chinese telecommunications operators. The after-sales departments have contacted the customers about how and when to upgrade the risky firmware.

Looking at the timeline of all events ZTE believes that the backdoor issue was found by Rapid7 during the upgrade phase.'

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 8.3 AV:A/AC:L/Au:N/C:C/I:C/A:C
Temporal 7.1 E:H/RL:W/RC:UC
Environmental 5.3 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Rapid7 for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs: None
Date Public: 2014-03-03
Date First Published: 2014-03-04
Date Last Updated: 2014-03-19 14:30 UTC
Document Revision: 17

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis