A security researcher discovered a host of vulnerabilities and various backdoors in FiberHome HG6245D devices, amountintg to a severe security problem in countries where ISPs deploy this hardware. The FiberHome device is a GPON (Gigabit Passive Optical Networks) FTTH (fiber-to-the-home). It’s a device that transforms the optical network into Ethernet, allowing for deployment in large buildings, for example.
Vulnerabilities in management devices are all the more important because they affect a larger swath of users and companies. As expected, they have powerful hardware and lots of storage, making them an attractive target for criminals.
“Some vulnerabilities have been tested successfully against another fiberhome device (AN5506-04-FA, firmware RP2631, 4 April 2019),” said security researcher Pierre Kim. “The fiberhome devices have quite a similar codebase, so it is likely all other fiberhome devices (AN5506-04-FA, AN5506-04-FAT, AN5506-04-F) are also vulnerable.”
“Futhermore, due to the lack of firewall for IPv6 connectivity, all the internal services will be reachable over IPv6 (from the Internet),” added Kim. “It is in fact trivial to achieve pre-auth RCE as root against the device, from the WAN (using IPv6) and from the LAN (IPv4 or IPv6).”
The researcher found problems with hardcoded SSL certificates, backdoors allowing telnet access, privilege escalation issues, and even passwords stored in clear text. The overwhelming number of problems are likely present and render the devices extremely unsecure.
Typically, researchers follow a disclosure timeline, but since some of the backdoors seem to have been implemented by the vendor, Pierre Kim decided to publish the findings, hoping to speed up the timeline for incoming patches.
FiberHome devices are mainly deployed in South America and Southeast Asia.