FiberHome HG6245D router

At least 28 backdoor accounts and quite a few other vulnerabilities have been found in the firmware of a well-known FTTH ONT router, commonly deployed across South The us and Southeast Asia.

FTTH ONT stands for Fiber-to-the-Property Optical Community Terminal. These are unique devices equipped at the conclude of optical fiber cables. Their role is to change optical indicators sent by way of fiber optics cables into traditional Ethernet or wi-fi (WiFi) connections.

FTTH ONT routers are usually mounted in apartment properties or inside the properties or businesses that opt for gigabit-variety subscriptions.

A slew of hardcoded credentials

In a report published very last 7 days, protection researcher Pierre Kim mentioned he recognized a substantial assortment of stability issues with FiberHome HG6245D and FiberHome RP2602, two FTTH ONT router designs formulated by Chinese enterprise FiberHome Networks.

The report describes both favourable and unfavorable issues with the two router models and their firmware.

For case in point, the optimistic difficulties are that both of those gadgets do not expose their management panel by way of the IPv4 exterior interface, generating attacks against its world-wide-web panel not possible by using the web. Additionally, the Telnet management attribute, which is typically abused by botnets, is also disabled by default.

Even so, Kim claims that FiberHome engineers have apparently failed to activate these same protections for the routers’ IPv6 interface. Kim notes that the unit firewall is only energetic on the IPv4 interface and not on IPv6, enabling danger actors immediate obtain to all of the router’s inside providers, as very long as they know the IPv6 tackle to access the machine.

Setting up with this problem, Kim comprehensive a lengthy record of backdoors and vulnerabilities he found out on the gadget, which he statements attackers could abuse to acquire around ISP infrastructure. These issues contain the likes of:

  • The management interface leaks product particulars if accessed from a browser with JavaScript disabled. One particular of the leaked facts is the device’s MAC handle.
  • A backdoor mechanism will allow an attacker to use the device’s MAC deal with to initiate a Telnet link to the router by sending a specially crafted HTTPS ask for [https://[ip]/telnet?allow=&vital=calculated(BR0_MAC)].
  • Passwords and authentication cookies for the admin panel are stored in cleartext in HTTP logs.
  • The administration interface is secured as a result of a hardcoded SSL certification stored on the product that can be downloaded and utilized for MitM and other assaults.
  • The website server (management panel) contains a checklist of 22 hardcoded qualifications, which Kim thinks were included and in use by various world-wide-web service vendors.
  • The firmware also contains hardcoded credentials for running the unit by way of the TR-069 protocol.
  • There are also qualifications in the website server binary that are encrypted. Having said that, the XOR critical to decrypt them is also in the binary, rendering their encryption useless. As Kim notes, this is the same XOR crucial used in the firmware of C-Knowledge products, also impacted by similar backdoor issues.
  • A hardcoded root password for a Telnet server is also involved. This server is disabled by default, although.
  • The firmware also incorporates diverse sets of hardcoded qualifications for a very low-degree Telnet account. Kim discovered 4.
  • A privilege escalation vulnerability in the Telnet daemon lets attackers to escalate their privileges to root degree.
  • But the Telnet authentication can also be bypassed entirely, by way of two distinctive approaches.
  • Or you can use a denial of assistance bug to crash Telnet entirely.
  • On top of that, several passwords for other router products and services are saved in cleartext within the firmware or the router’s NVRAM.

Based on the variety and character of the hardcoded backdoor accounts he identified inside the device’s firmware, Kim claimed that he believes “that some backdoors have been deliberately put by the seller.”

Requests for comment sent by ZDNet to FiberHome by way of e-mail and its formal internet site previous Thursday, January 14, remained unanswered at the time of writing.

Kim claimed he identified these problems in January 2020 and had notified the seller. The researcher couldn’t figure out if any bugs have been patched as he hasn’t tested newer versions of the firmware considering that then.

Additionally, the researcher also warns that the exact backdoor/vulnerability problems could also affect other FiberHome styles because of to the actuality that most distributors tend to reuse or somewhat edit firmware between diverse output series.

FiberHome devices had been abused previous calendar year

It is of utmost urgency that gadget owners secure FiberHome routers. In late 2019, protection researchers from Qihoo 360 claimed that threat actors experienced been currently abusing FiberHome systems to assemble botnets, most utilised as proxy networks.

In May well 2020, the US Section of Commerce extra FiberHome and eight other Chinese tech organizations to a blacklist limiting its entry to US businesses, exports, and technologies.

In a press release, US officers claimed the nine corporations had been “complicit in human legal rights violations and abuses dedicated in China’s campaign of repression, mass arbitrary detention, forced labor and significant-technologies surveillance in opposition to Uighurs, ethnic Kazakhs, and other associates of Muslim minority teams in the Xinjiang Uighur Autonomous Location (XUAR).”