A total of 29 Fiber-To-The-Home ( FTTH) Optical Line Terminal (OLT) devices from Chinese vendor C-Data have been discovered by security researchers at backdoor.
The company’s OLTs are available for purchase under various brands, including BLIY, OptiLink, V-SOL CN, and C-Data, offering access to numerous customers (in some cases up to 1024), with some of the devices affected also supporting multiple 10-gigabit uplinks.
Security researchers Pierre Kim and Alexandre Torres discovered that many vulnerabilities affect the FD1104B and FD1108SN OLTs, including a telnet server that can be accessed from both the WAN and FTTH LAN interfaces.
Backdoor credentials have been found to vary between firmware versions (identified pairs include suma123 / panger123, guest/[empty], root / root126, debug / debug124) and vendors but do provide access to the affected devices.
The researchers also discovered that an intruder with backdoor access to the OLT can steal administrator credentials through the command-line interface (CLI). The attacker can then use the embedded webserver to exploit the workable CLI access to execute commands as root and exfiltrate information.
The researchers discovered during their investigation that a telnet server running on the device and accessible from the WAN interface can be misused to restart the system remotely, without authentication.
In addition, they found that web and telnet credentials and SNMP communities could be extracted without authentication, and credentials stored in plain text. The encryption algorithm used to store passwords uses XOR with a hardcoded value, and remote control of SSL/TLS connections is not supported.
The researchers identified additional impacted models through static analysis, namely 72408A, 9008A, 9016A, 92408A, 92416A, 9288, 97024P, 97028P, 97042P, 97084P, 97168P, FD1002S, FD1104S, FD1104SN, FD1204S-R2, FD1204SN, FD1204SN-R2, FD1208S-R2, FD1216S-R1, FD1608GS, FD1608SN, FD161616SN, and FD8000.
The vulnerabilities were discovered in December 2019, and this week the researchers agreed to publicly disclose their results, claiming some of the backdoors were “intentionally put by the vendor”