Hackers Start Exploiting Recently Found Flaws in GPON Routers

Hackers have started exploiting two recently disclosed vulnerabilities that potentially affect a large number of internet gateway devices used for residential gigabit-capable passive optical networks (GPON).

The vulnerabilities were found by a company called vpnMentor and affect GPON routers made by DASAN Networks, a global provider of networking solutions and customer premises equipment used by ISPs.

AWS Builder Community Hub

One vulnerability, tracked as CVE-2018-10561, can be used to bypass the authentication on the device web-based administration interface, while the second, CVE-2018-10562, allows attackers to execute rogue commands as root on devices. Combined, the flaws allow hackers to take over affected GPON routers remotely.

“While the vendor is working and may release a fix soon, many devices are shipped [as] private label ONTs developed by other OEM in 2008-2012, meaning we may never see a fix for such devices,” vpnMentor said on Twitter.

The company went public with details about the flaws earlier this week to alert users because it thought the risk of exploitation was great. A search on Shodan suggests that are more than 1 million potentially vulnerable GPON routers reachable from the internet.

It only took a couple of days from vpnMentor’s report for attackers to start searching for and exploit vulnerable devices. That’s not really surprising given that botnets made up of compromised routers are valuable resources for hackers and are often used to launch large-scale distributed denial-of-service attacks.

The fact that GPON devices are used for gigabit-size fiber connections makes them even more attractive since the firepower they provide is considerably greater than that of DSL or cable modems.

“It did not take long for miscreant to spot and add this to their weapon library,” researchers from the Network Security Research Lab at Chinese security firm Qihoo 360 reported via Twitter. “We have captured activity utilizing CVE-2018-10561 [and] CVE-2018-10562 with an active C2 up and running in VN.”

This incident highlights the risks associated with using ISP-supplied home networking equipment. Custom-branded devices that are used by multiple ISPs from around the world are often made by the same OEM and share the same underlying firmware.

This makes it difficult to identify all vulnerable devices when a security issue is found. It’s also highly unlikely that any patch released by an OEM will ever reach all affected devices, since those patches need to be distributed by every ISP that uses those devices.

Backdoored Package Found in npm Repository

Maintainers of npm, the central repository for Node.js components used by JavaScript developers from around the world, have recently identified a rogue package with a built-in backdoor.

The npm security team was notified by members of the developer community about the existence of a potential backdoor inside a package called getcookies. A subsequent investigation confirmed that the module did contain code that would have allowed external attackers to execute rogue commands via HTTP request headers.

The user who uploaded the backdoored module tried to stay under the radar by taking advantage of the nested dependency model of npm, where installing one package will also pull other modules specified as dependencies for it.

The user created three packages called getcookies, express-cookies and http-fetch-cookies. Only getcookies contained the backdoor, but it was listed as a dependency for express-cookies, which was itself defined as a dependency for http-fetch-cookies.

Furthermore, http-fetch-cookies was listed as a dependency in an older module called mailparser that’s deprecated, but still gets about 64,000 weekly downloads.

“We determined the published versions of mailparser that depended on http-fetch-cookies did not use the module in any way, eliminating any risk the backdoor posed,” the npm security team said in a blog post. “We speculate that mailparser’s requiring http-fetch-cookies was to execute an attack in the future or to inflate download counts of express-cookies to add to its legitimacy.”

While no compromise happened through mailparser itself, applications that pulled any of the three rogue modules directly might have been compromised.

This is not the first time when rogue packages get uploaded to central component repositories for different programming languages in order to execute software supply-chain attacks. It shows why it’s important for companies that develop applications to track and review third-party components they pull into their development environments.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin