Two security researchers said this week that they found severe vulnerabilities and what appears to be intentional backdoors in the firmware of 29 FTTH OLT devices from popular vendor C-Data.
FTTH stands for Fiber-To-The-Home, while OLT stands for Optical Line Termination.
The term FTTH OLT refers to networking equipment that allows internet service providers to bring fiber optics cables as close to the end-users as possible.
As their name hints, these devices are the termination on a fiber optics network, converting data from an optical line into a classic Ethernet cable connection that’s then plugged in a consumer’s home, data centers, or business centers.
These devices are located all over an ISP’s network, and due to their crucial role, they are also one of today’s most widespread types of networking devices, as they need to sit in millions of network termination endpoints all over the globe.
Seven very severe vulnerabilities
In a report published this week, security researchers Pierre Kim and Alexandre Torres said they discovered seven vulnerabilities in the firmware of FTTH OLT devices manufactured by Chinese equipment vendor C-Data.
Kim and Torres said they confirmed the vulnerabilities by analyzing the latest firmware running on two devices, but they believe that the same vulnerabilities impact 27 other FTTH OLT models, as they run similar firmware.
The vulnerabilities are as bad as it gets, but by far, the worst and most disturbing of the seven is the presence of Telnet backdoor accounts hardcoded in the firmware.
The accounts allow attackers to connect to the device via a Telnet server running on the device’s WAN (internet-side) interface. Kim and Torres said the accounts granted intruders full administrator CLI access.
The two researchers said they found four username-password combinations hidden in the C-Data firmware, with backdoor accounts differing per device, based on the device model and firmware version.
But this initial backdoor CLI access could then be used to exploit other vulnerabilities. For example, Kim and Torres said an attacker could also exploit a second bug to list credentials in cleartext in the Telnet CLI for all the other device administrators; credentials that could be used at a later point in case the backdoor account is removed.
A third vulnerability also allowed the attacker to execute shell commands with root privileges from any CLI account.
The fourth bug was discovered in the same Telnet server running on the WAN interface. Kim and Torres said that this server could be abused to crash the FTTH OLT device. Since the server was running by default on the WAN interface, this bug could be used to sabotage an ISP’s network if they’re not filtering traffic towards the FTTH OLT devices.
But the devices were also running a web server that was included to power the device’s management web panel. Here, Kim and Torres found the fifth bug. Just by downloading six text files from this web server, an attacker could get his hands on cleartext account credentials for the device’s web interface, Telnet server, and SNMP interface.
In case any of the passwords are found in an encrypted format, Kim and Torres say that this is not a problem either, as credentials are usually secured with an easy to break XOR function.
And last, but not least, the two researchers pointed out that all management interfaces on the tested devices ran in cleartext modes, with HTTP rather than HTTPS, Telnet instead of SSH, and so on. They said this opened devices and the ISPs that used them to easy MitM (man-in-the-middle) attacks.
Kim and Torres said they published their findings today without notifying the vendor as they believe some of the backdoors were intentionally placed in the firmware by the vendor.
C-Data was not immediately available for comment.
The two also say that identifying all vulnerable devices will also be a problem for ISPs, as some of the vulnerable equipment also appears to have been sold as a white-label product, under different brands, such as OptiLink, V-SOL CN, BLIY, and possibly others.
Below is the list of vulnerable C-Data FTTH OLT models: