Security experts at vpnMentor last week disclosed a couple of zero-day vulnerabilities (CVE-2018-10561 & CVE-2018-10562) in Gigabit-capable Passive Optical Network GPON home routers manufactured by the company Dasan.
The researchers have found a way to bypass the authentication to access the GPON home routers (CVE-2018-10561). The experts chained this authentication bypass flaw with another command injection vulnerability (CVE-2018-10562) and were able to execute commands on the device.
The GPON home routers are widely adopted by ISPs that offer fiber-optic Internet, it has been estimated that roughly one million of these devices are exposed to the Internet, most of them in Mexico, Kazakhstan, and Vietnam.
After the disclosure of the two vulnerabilities, experts started working on PoC exploit code, the Italian security expert Federico Valentini (
@f3d_0x0), ICT Security researcher at Cefriel, for example, published a Python exploit for Remote Code Execution on GPON home routers (CVE-2018-10562).
one more thing, we captured a new mirai branch which also picked up this GPON vulnerability, so we are looking at at least three different campaigns going after the GPON now. (the .VN, the muhstik and mirai)
— 360 Netlab (@360Netlab) May 7, 2018
Waiting for the official patch from the manufacturer, vpnMentor researchers have released their unofficial patches for the two zero-days.
The deployment of the patch is quite simple, users simply have to enter the router’s local IP address and click the “Run Patch” button. The tool executes a script in the browser that allows users to disable the web server that represents the entry point for the attackers.
“All you have to do is input your infected router IP (it can be a local LAN address — it doesn’t have to be WAN) and a new password where you can access your router via LAN only SSH/Telnet, and our script will execute the patch.” states the post published by VPNmentor.
“Notice: By pressing “Patch”, you will execute the script yourself on the provided IP (whether local or WAN connected), since we use a client-side patch your browser will initiate.”
Once executed the patch, the router’s web interface will not be accessible from the browser (so it will not be exploited) and re-enabling the web server could not be so easy.
“This patch was not created by the official company and is not guaranteed. It was created to help mitigate the vulnerabilities until an official patch is released. Therefore, any issues or problems that might be caused by the use of this tool is not our responsibility, and we advise you to use it at your own risk.” reads the disclaimer for the patch.
“This tool disables the web server in a way that is not easy to reverse, it can be done with another patch script, but if you are not comfortable with the command line we suggest firewalling your device until an official patch is released.”
(Security Affairs – GPON home routers, hacking)