Chinese firm CDATA, which makes networking kit for FTTH and Hybrid Fibre Coax based broadband ISPs (often sold re-branded as OptiLink, V-SOL CN, BLIY etc.), is facing a serious problem after security researchers found 7 vulnerabilities in OLT kit including backdoor accounts that grant access to a hidden Telnet admin.
The researchers – Pierre Kim and Alexandre Torres (via Zdnet) – examined a number of Optical Line Terminal (OLT) devices from CDATA’s range of Gigabit Passive Optical Networks (GPON) kit. The vulnerabilities they discovered affect a wide range of the firm’s devices and latest firmware, including modern 10Gbps capable kit like the FD1608GS, FD1608SN, FD1616GS and FD1616SN among many others.
A total of seven very serious vulnerabilities were discovered in these devices, which included everything from a weak encryption algorithm to insecure management interfaces and credentials leaking. But by far one of the worst is the allegedly “intentionally placed” (by the vendor) existence of backdoor access with telnet. As security goes, you really can’t get much worse than this in such a key piece of hardware.
The Seven Vulnerabilities
* Backdoor Access with telnet
* Credentials infoleak and credentials in clear-text (telnet)
* Escape shell with root privileges
* Pre-Auth Remote DoS
* Credentials infoleak and credentials in clear-text (HTTP)
* Weak encryption algorithm
* Insecure management interfaces
The researchers found that a telnet server was running on the appliance, which is reachable from both the WAN interface and the FTTH LAN interface (from the ONTs). But they also discovered a bunch of (undocumented) credentials (i.e. logins and passwords) that give backdoor admin access.
The undocumented credentials seem to vary, depending upon the firmware version, but they appear to include some surprisingly simple ones (e.g. login: debug – password: debug124, login: guest – password: [empty], login: suma123 – password: panger123 etc.). The passwords are so basic that even a regular brute force attack, in our view, could probably uncover them without much effort.
Ordinarily the expectations of responsible disclose would demand that the company be informed and given time to fix the flaws before they are exposed to the public. But in this case the researchers opted for full disclosure without taking that step “as we believe some backdoors are intentionally placed by the vendor.” Yikes.
Off the top of our heads we don’t know of any UK broadband ISPs that are using CDATA’s OLTs in their networks, but that doesn’t mean to say that somebody somewhere isn’t doing so as very few operators talk openly about their suppliers. Nevertheless, it just goes to show that the current excessive focus on firms like Huawei (and ZTE before them) may come at the cost of overlooking much weaker links in the chain at other, smaller, vendors.
The vulnerabilities themselves were validated against FD1104B and FD1108SN OLTs in a lab environment with the latest firmware versions (V1.2.2 and 2.4.05_000, 2.4.04_001 and 2.4.03_000), although static analysis shows that these same issues also “appear to affect all available OLT models as the codebase is similar.” See the list below for more kit examples.
– – 72408A
– – 9008A
– – 9016A
– – 92408A
– – 92416A
– – 9288
– – 97016
– – 97024P
– – 97028P
– – 97042P
– – 97084P
– – 97168P
– – FD1002S
– – FD1104
– – FD1104B
– – FD1104S
– – FD1104SN
– – FD1108S
– – FD1204S-R2
– – FD1204SN
– – FD1204SN-R2
– – FD1208S-R2
– – FD1216S-R1
– – FD1608GS
– – FD1608SN
– – FD1616GS
– – FD1616SN
– – FD8000
We have asked CDATA for a comment and await their response.