Critical Vulnerabilities in GPON Routers Exposed
Recent developments in cybersecurity have drawn attention to two significant, unpatched vulnerabilities affecting GPON (Gigabit-capable Passive Optical Network) routers manufactured by South Korea’s DASAN Zhone Solutions. Hackers have begun exploiting these flaws, prompting security experts to create an unofficial patch to protect potentially millions of users suffering from vulnerabilities left unresolved by the manufacturer.
Last week, researchers from vpnMentor publicly disclosed details regarding the critical vulnerabilities: an authentication bypass (CVE-2018-10561) and a remote code execution flaw (CVE-2018-10562). The first vulnerability permits malicious actors to circumvent the router’s login authentication simply by appending “?images/” to the URL in the browser’s address bar, effectively allowing unauthorized access.
The second vulnerability escalates the severity of the situation, enabling command injection attacks that empower unauthenticated attackers to execute harmful commands on compromised devices. This includes modifications to DNS settings, facilitating complete and remote control over the router.
In the aftermath of this disclosure, security researchers at Qihoo 360 Netlab reported a surge in exploitation attempts, with hackers incorporating affected routers into botnet networks. An independent researcher has also made the situation more alarming by releasing a working proof-of-concept exploit, which is available on GitHub, potentially lowering the barrier for entry for less experienced malicious actors.
Despite vpnMentor reporting these issues to DASAN, an official fix remains pending, leading to concerns about the nearly one million vulnerable routers still actively exposed on the Internet. Presently, these routers are at risk of being hijacked. For users with such devices, other than waiting for manufacturer-led solutions, immediate measures can be taken to bolster security.
Disabling remote administration and employing a firewall are two critical defensive strategies that users can implement to safeguard their devices. These attempts effectively restrict access to the local network, thus diminishing the likelihood of remote exploitation. vpnMentor has taken it a step further by offering a user-friendly tool that modifies router settings to mitigate the threat until an official patch is available, though users are cautioned that this is not a manufacturer-endorsed solution.
For those looking to secure their GPON routers, utilizing this tool involves entering the router’s local IP address and a new password for SSH or Telnet. Subsequently, running the tool facilitates crucial changes that help shield devices from unauthorized access. Nevertheless, experts advise users to carefully consider the implications of deploying third-party scripts and to hold out for an official resolution from the manufacturer wherever possible.
In the context of the MITRE ATT&CK framework, attackers exploiting these vulnerabilities likely employed tactics such as initial access via bypassing authentication mechanisms and privilege escalation through command execution vulnerabilities. These techniques underline the ongoing risk present when manufacturers do not act swiftly to address security shortcomings in their products.
As this situation unfolds, business owners are urged to remain vigilant, actively monitoring for updates both from manufacturers and cybersecurity resources to safeguard their networks against these and other potential threats.