Two security researchers have discovered undocumented Telnet admin account accounts in 29 Fiber-To-The-Home (FTTH) devices from Chinese vendor C-Data.
The CDATA OLTs are sold under different brands, including Cdata, OptiLink, V-SOL CN, and BLIY. Some of the devices support multiple 10-gigabit uplinks and provide Internet connectivity to up to 1024 ONTs (clients).
Below the list of vulnerable C-Data FTTH OLT devices :
The backdoor accounts in the firmware of 29 FTTH Optical Line Termination (OLT) devices from popular vendor C-Data. They could allow users access to a secret Telnet admin account running on the devices’ external WAN interface granting them full administrator CLI access.
According to the experts the backdoor accounts were intentionally introduced.
FTTH Optical Line Termination (OLT) devices serve as the service provider endpoint of a passive optical network, they are located all over an ISP’s network.
The security duo, composed of Pierre Kim and Alexandre Torres, disclosed seven vulnerabilities in the firmware of FTTH OLT devices manufactured by C-Data.
The experts confirmed the presence of the security issues in the latest firmware running on two devices they have analyzed (FD1104B and FD1108SN OLTs), but they speculate the vulnerabilities could impact 27 other FTTH OLT models.
The most severe issue is the presence of Telnet backdoor accounts hardcoded in the firmware.
“A telnet server is running in the appliance and is reachable from the WAN interface and from the FTTH LAN interface (from the ONTs).” reads the analysis published by the experts.
“Depending on the firmware, the backdoor credentials may change. You can find below a complete list of backdoor (undocumented) credentials, giving an attacker a complete administrator CLI access.”
The two researchers discovered the following backdoor accounts in the devices they have analyzed:
The researchers pointed out that the initial backdoor CLI access could be used by attackers to trigger other vulnerabilities, for example, to extract administrator credentials by running a command in the CLI.
Another vulnerability discovered by the experts could allow attackers to execute shell commands with root privileges from any CLI account.
Expets also discovered a DoS issue affecting the Telnet server that could be exploited to reboot any OLT device using this command:
$ for i in $(seq 1 10); do cat /dev/urandom | nc 192.168.1.100 23 | hexdump -C;done
The fifth issue could be exploited to obtain credentials in clear-text.
“A web server is running in the appliance and is reachable from the WAN interface and from the FTTH LAN interface (from the ONTs).” continues the experts.
“Without authentication, an attacker can extract web, telnet credentials and SNMP communities (read and write) by fetching these files”
The remaining two vulnerabilities are related to the use of a weak encryption algorithm and the use of insecure management interfaces.
The duo did not report the issue to the vendor and published their findings because they believe some of the backdoors were intentionally implemented in the firmware of the devices.
C-Data was not immediately available for comment.
(SecurityAffairs – hacking, FTTH devices)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.