Security Flaw Exposes Fibre Optic GPON Home Routers to Hackers UPDATE

Security researchers working for VPN Mentor have tested “many random” GPON ISP routers and discovered that all were vulnerable to two new exploits that could enable a hacker to hijack the device. Related routers are used by Gigabit “full fibre” (FTTH/P) broadband providers around the world.

At the time of writing full details of the two vulnerabilities – CVE-2018-10561 and CVE-2018-10562 – have not yet been published and so we don’t know exactly which manufacturers were subjected to the random testing. The group used Shodan to estimate that over a million Gigabit Passive Optical Networks (GPON) routers are currently affected, mostly in Mexico, Kazakhstan and Vietnam (mercifully only a very few were in the UK).

Essentially the first flaw exploits the authentication mechanism of the device (bypassing it), while the second is based around a command injection vulnerability that allows an attacker to execute commands on the device. Both can be combined to completely takeover a router, which then leaves the end-users network open to abuse, such as traffic hijacking and or the loss of personal data etc.

VPN Mentor Statement

During our analysis of GPON firmwares, we found two different critical vulnerabilities (CVE-2018-10561 & CVE-2018-10562) that could, when combined allow complete control on the device and therefore the network. The first vulnerability exploits the authentication mechanism of the device that has a flaw. This flaw allows any attacker to bypass all authentication.

The flaw can be found with the HTTP servers, which check for specific paths when authenticating. This allows the attacker to bypass authentication on any endpoint using a simple trick.

While looking through the device functionalities, we noticed the diagnostic endpoint contained the ping and traceroute commands. It didn’t take much to figure out that the commands can be injected by the host parameter.

Since the router saves ping results in /tmp and transmits it to the user when the user revisits /diag.html, it’s quite simple to execute commands and retrieve their output with the authentication bypass vulnerability.

Apparently many of the vulnerable GPON routers are made by the South Korean firm Dasan Networks, which allegedly did not respond to the researchers (possibly due to a language barrier). The question now is whether or not such flaws will be patched by the responsible company(s). Router manufacturers often have fairly short life-cycles on their devices, which can result in a lack of support after only a fairly short period.

UPDATE 8th May 2018

We have the following statement from Dasan.

Statement from DZS regarding authentication bypass exploit

DASAN Zhone Solutions, Inc. has investigated recent media reports that certain DZS GPON Network Interface Devices (NIDs), more commonly known as routers, could be vulnerable to an authentication bypass exploit.

DZS has determined that the ZNID-GPON-25xx series and certain H640series GPON ONTs, when operating on specific software releases, are affected by this vulnerability. No service impacts from this vulnerability have been reported to DZS to date. After an internal investigation, we have determined the potential impact is much more limited in scope than previously reported in the media. According to DZS sales records, combined with field data gathered to date, we have estimated that the number of GPON ONT units that may be potentially impacted to be less than 240,000. In addition, given the relative maturity of the products in their lifecycle, we think the impact is limited to even fewer devices.

Product History

The DZS ZNID-GPON-25xx and certain H640-series ONTs, including the software that introduced this vulnerability, were developed by an OEM supplier and resold by DZS. While designed and released more than 9 years ago, most of these products are now well past their sustainable service life. Because software support contracts are no longer offered for most of these products, we do not have direct insight to the total number of units that are still actively used in the field.

Resolution

DZS has informed all the customers who purchased these models of the vulnerability. We are working with each customer to help them assess methods to address the issue for units that may still be installed in the field. It will be up to the discretion of each customer to decide how to address the condition for their deployed equipment.

The DZS Commitment

DZS’s mission is to ensure that all its solutions meet the highest security standards in the industry. We embrace this, and every opportunity, to review and continuously improve our security design and testing methodologies.