RCE Vulnerability Affects Over 1 Million Dasan Routers

Two remotely exploitable vulnerabilities found in South Korea-based Dasan Networks routers could allow threat actors to control over 1 million affected devices. The two vulnerabilities in GPON (Gigabit-capable Passive Optical Network) routers, which provide fiber-optic internet, enable attackers to bypass authentication mechanisms and even inject arbitrary commands.

The first vulnerability (CVE-2018-10561) lets hackers append a “?images/” string into the device’s web interface URL, effectively bypassing any authentication and allowing the attacker to completely manage the device. Coupled with the second vulnerability (CVE-2018-10562) that allows for command injection, unauthenticated attackers can take full remote control of the device.

“Since the router saves ping results in /tmp and transmits it to the user when the user revisits /diag.html, it’s quite simple to execute commands and retrieve their output with the authentication bypass vulnerability,” reads the vpnMentor report.

Since routers are basically the gateway through which all home network devices connect to the internet, attackers controlling them remotely raises serious security and privacy concerns, especially since it could affect more than 1 million users.

“We tested this vulnerability on many random GPON routers, and the vulnerability was found on all of them,” reads the research. “Because so many people use these types of routers, this vulnerability can result in an entire network compromise.”

With the ability to redirect uses to compromised websites, trick them into installing malware, infect other network devices, and even eavesdrop on all household network traffic, these potentially compromised routers could also be enslaved into a botnet and used in denial-of-service attacks. These Dasan gigabit routers could be used in a way similar to Mirai or Satori botnets, which use vulnerable and compromised IoT (internet-of-things) devices.

The two vulnerabilities have been reported to Dasan, but it’s unclear if they’ve been patched or if an update is available. Affected users are strongly encouraged to regularly check for security updates for their routers and even deploy a home network cybersecurity solution that can not only secure all network devices against threats, but also notify users when security updates become available for installation.

UPDATE: 05/09/2018 DASAN Zhone Solutions has provided the following statement to Bitdefender:

DASAN Zhone Solutions, Inc. has investigated recent media reports that certain DZS GPON Network Interface Devices (NIDs), more commonly known as routers, could be vulnerable to an authentication bypass exploit.

DZS has determined that the ZNID-GPON-25xx series and certain H640series GPON ONTs, when operating on specific software releases, are affected by this vulnerability. No service impacts from this vulnerability have been reported to DZS to date. After an internal investigation, we have determined the potential impact is much more limited in scope than previously reported in the media. According to DZS sales records, combined with field data gathered to date, we have estimated that the number of GPON ONT units that may be potentially impacted to be less than 240,000. In addition, given the relative maturity of the products in their lifecycle, we think the impact is limited to even fewer devices.

Product History

The DZS ZNID-GPON-25xx and certain H640-series ONTs, including the software that introduced this vulnerability, were developed by an OEM supplier and resold by DZS. While designed and released more than 9 years ago, most of these products are now well past their sustainable service life. Because software support contracts are no longer offered for most of these products, we do not have direct insight to the total number of units that are still actively used in the field.

Resolution

DZS has informed all the customers who purchased these models of the vulnerability. We are working with each customer to help them assess methods to address the issue for units that may still be installed in the field. It will be up to the discretion of each customer to decide how to address the condition for their deployed equipment.

The DZS Commitment

DZS’s mission is to ensure that all its solutions meet the highest security standards in the industry. We embrace this, and every opportunity, to review and continuously improve our security design and testing methodologies.