Hackers have started exploiting two recently disclosed vulnerabilities that potentially affect a large number of internet gateway devices used for residential gigabit-capable passive optical networks (GPON).
The vulnerabilities were found by a company called vpnMentor and affect GPON routers made by DASAN Networks, a global provider of networking solutions and customer premises equipment used by ISPs.
One vulnerability, tracked as CVE-2018-10561, can be used to bypass the authentication on the device web-based administration interface, while the second, CVE-2018-10562, allows attackers to execute rogue commands as root on devices. Combined, the flaws allow hackers to take over affected GPON routers remotely.
“While the vendor is working and may release a fix soon, many devices are shipped [as] private label ONTs developed by other OEM in 2008-2012, meaning we may never see a fix for such devices,” vpnMentor said on Twitter.
The company went public with details about the flaws earlier this week to alert users because it thought the risk of exploitation was great. A search on Shodan suggests that are more than 1 million potentially vulnerable GPON routers reachable from the internet.
It only took a couple of days from vpnMentor’s report for attackers to start searching for and exploit vulnerable devices. That’s not really surprising given that botnets made up of compromised routers are valuable resources for hackers and are often used to launch large-scale distributed denial-of-service attacks.
The fact that GPON devices are used for gigabit-size fiber connections makes them even more attractive since the firepower they provide is considerably greater than that of DSL or cable modems.
“It did not take long for miscreant to spot and add this to their weapon library,” researchers from the Network Security Research Lab at Chinese security firm Qihoo 360 reported via Twitter. “We have captured activity utilizing CVE-2018-10561 [and] CVE-2018-10562 with an active C2 up and running in VN.”
This incident highlights the risks associated with using ISP-supplied home networking equipment. Custom-branded devices that are used by multiple ISPs from around the world are often made by the same OEM and share the same underlying firmware.
This makes it difficult to identify all vulnerable devices when a security issue is found. It’s also highly unlikely that any patch released by an OEM will ever reach all affected devices, since those patches need to be distributed by every ISP that uses those devices.
Backdoored Package Found in npm Repository
The npm security team was notified by members of the developer community about the existence of a potential backdoor inside a package called getcookies. A subsequent investigation confirmed that the module did contain code that would have allowed external attackers to execute rogue commands via HTTP request headers.
The user who uploaded the backdoored module tried to stay under the radar by taking advantage of the nested dependency model of npm, where installing one package will also pull other modules specified as dependencies for it.
The user created three packages called getcookies, express-cookies and http-fetch-cookies. Only getcookies contained the backdoor, but it was listed as a dependency for express-cookies, which was itself defined as a dependency for http-fetch-cookies.
Furthermore, http-fetch-cookies was listed as a dependency in an older module called mailparser that’s deprecated, but still gets about 64,000 weekly downloads.
“We determined the published versions of mailparser that depended on http-fetch-cookies did not use the module in any way, eliminating any risk the backdoor posed,” the npm security team said in a blog post. “We speculate that mailparser’s requiring http-fetch-cookies was to execute an attack in the future or to inflate download counts of express-cookies to add to its legitimacy.”
While no compromise happened through mailparser itself, applications that pulled any of the three rogue modules directly might have been compromised.
This is not the first time when rogue packages get uploaded to central component repositories for different programming languages in order to execute software supply-chain attacks. It shows why it’s important for companies that develop applications to track and review third-party components they pull into their development environments.