2 security scientists stated this week that they discovered extreme vulnerabilities and what seems deliberate backdoors in the firmware of 29 FTTH OLT devices from popular supplier C-Data.
FTTH represents Fiber-To-The-Home, while OLT represents Optical Line Termination.
The term FTTH OLT refers to networking devices that permits web service companies to bring fiber optics cable televisions as near the end-users as possible.
As their name tips, these devices are the termination on a fiber optics network, transforming information from an optical line into a timeless Ethernet cable connection thats then plugged in a consumers house, information centers, or organization.
These gadgets lie all over an ISPs network, and due to their crucial function, they are also among todays most widespread kinds of networking devices, as they need to sit in countless network termination endpoints all over the globe.
7 very serious vulnerabilities
In a report published this week, security scientists Pierre Kim and Alexandre Torres stated they discovered 7 vulnerabilities in the firmware of FTTH OLT gadgets manufactured by Chinese devices supplier C-Data.
Kim and Torres stated they verified the vulnerabilities by analyzing the newest firmware working on 2 devices, but they think that the very same vulnerabilities impact 27 other FTTH OLT designs, as they run comparable firmware.
The vulnerabilities are as bad as it gets, but by far, the worst and most disturbing of the 7 is the presence of Telnet backdoor accounts hardcoded in the firmware.
The accounts enable assaulters to connect to the device by means of a Telnet server working on the devices WAN (internet-side) user interface. Kim and Torres said the accounts approved intruders complete administrator CLI access.
The two scientists stated they discovered four username-password combinations concealed in the C-Data firmware, with backdoor accounts differing per device, based on the gadget model and firmware variation.
suma123/panger123debug/debug124root/ root126guest/ [empty] This initial backdoor CLI access could then be utilized to exploit other vulnerabilities. For instance, Kim and Torres said an enemy might likewise make use of a 2nd bug to list qualifications in cleartext in the Telnet CLI for all the other device administrators; credentials that might be utilized at a later point in case the backdoor account is removed.
A third vulnerability likewise permitted the aggressor to perform shell commands with root benefits from any CLI account.
The fourth bug was discovered in the same Telnet server operating on the WAN interface. Kim and Torres stated that this server could be abused to crash the FTTH OLT device. Since the server was running by default on the WAN interface, this bug could be used to undermine an ISPs network if theyre not filtering traffic towards the FTTH OLT devices.
But the gadgets were also running a web server that was included to power the devices management web panel. Here, Kim and Torres found the 5th bug. Simply by downloading six text files from this web server, an aggressor could get his hands on cleartext account credentials for the gadgets web user interface, Telnet server, and SNMP interface.
In case any of the passwords are found in an encrypted format, Kim and Torres state that this is not a problem either, as credentials are generally protected with a simple to break XOR function.
And last, however not least, the two researchers mentioned that all management interfaces on the checked devices ran in cleartext modes, with HTTP rather than HTTPS, Telnet rather of SSH, and so on. They said this opened gadgets and the ISPs that used them to easy MitM (man-in-the-middle) attacks.
Full disclosure
Kim and Torres said they released their findings today without alerting the vendor as they believe some of the backdoors were purposefully put in the firmware by the supplier.
C-Data was not right away offered for remark.
The two also say that recognizing all susceptible gadgets will also be a problem for ISPs, as a few of the vulnerable equipment likewise appears to have been offered as a white-label product, under various brands, such as OptiLink, V-SOL CN, BLIY, and potentially others.
Below is the list of vulnerable C-Data FTTH OLT models:
72408A
9008A
9016A
92408A
92416A
9288
97016
97024P
97028P
97042P
97084P
97168P
FD1002S
FD1104
FD1104B
FD1104S
FD1104SN
FD1108S
FD1108SN
FD1204S-R2
FD1204SN
FD1204SN-R2
FD1208S-R2
FD1216S-R1
FD1608GS
FD1608SN
FD1616GS
FD1616SN
FD8000
Kim and Torres said that this server might be abused to crash the FTTH OLT gadget. Considering that the server was running by default on the WAN interface, this bug could be utilized to sabotage an ISPs network if theyre not filtering traffic towards the FTTH OLT gadgets.
The gadgets were also running a web server that was consisted of to power the gadgets management web panel. Here, Kim and Torres discovered the 5th bug. Just by downloading six text files from this web server, an assailant could get his hands on cleartext account credentials for the devices web user interface, Telnet server, and SNMP user interface.