Technical Statement

Statement on Pierre Kim Revealing Security Vulnerabilities in C-data OLT products

We have noticed an article named “Multiple vulnerabilities found in C-Data OLTs” published in Github. C-Data admires the work of two professionals in technological circles, Pierre Kim and Alexandre Torres, and thanks for their identifying security breach problems through detailed testing, as well as for their active work in reducing the risks of users using network products. C-Data adheres to the philosophy of serving customers, and always puts customers’ interests in the first place, as well as pays special attention to the product safety problems. In this way, C-Data can provide customers with products with safety guarantee.

In the meantime, we have paid attention to some press releases published by the media, and have interpreted technical articles by Pierre Kim and Alexandre Torres. In order not to let the majority of customers misunderstand the safety design of our equipment, C-Data analyzes and clarifies the mentioned technical issues with a sincere and frank manner.

Excluding counterfeit products

The account mentioned in this article: panger123/suma123. We have investigated the account and the password. In addition, we have confirmed that the account and password are not from the C-Data OLT products, but are those used by other companies and people when they copy the C-Data OLT. The CLI style and most of its commands of the counterfeited OLT are all copied from the C-Data OLT. C-Data  OLT equipment is now widely used around the world, and counterfeiters copy C-Data OLT for illegal profits.

According to the following screenshot, we can completely compare and analyze that the account of panger123/suma123 comes from an illegally copied OLT.

[Replica command line style and version information]

[C-Data FD11XX series OLT version information and command line style]

If you use the account of panger123/suma123, you can never access C-Data OLT. The following figure shows the information interception of the failed attempt to log into the C-Data OLT with panger123/suma123 account.

This article analyzes the problem regarding “Authentication process with hardcoded credentials”. The demonstration indicates that we log into the bcm-shell of OLT and receive the key information of OLT with the telnet method. The relevant information all comes from the replica, instead of the C-Data OLT. In the screenshots, the account and password information marked in red is that of the fakes.

Introduction to several factory setting accounts

The following two telnet login accounts and passwords mentioned in this article are actually used on the C-Data’s first generation OLT (OLT starting withFD11XX):

OLT telnet account 1: debug/debug124

OLT telnet account 2: root/root126

This account and password are mainly used by C-Data to assist customers in debugging problems and writing production parameters. (OLT mac address information and SN information, etc.)

This account must be successfully logged in to the CONSOLE port by a local serial line on the OLT, then can entering the OLT bcm-shell mode to modify and view key information of the OLT. Use this accout under OLT TELENT mode, we can only enter the CLI of the device, can not entering OLT bcm-shell modify the key information of OLT.

If attacks want to enter the bcm-shell mode of OLT to obtain device privacy information or implant malicious programs into OLT, they must log into OLT by directly connecting the serial port line of the computer locally. In this way, by no means can the remote attackers use these two accounts to attack.

Therefore, there is no such situation as “Backdoor Access with telnet”.

In addition, as regards these two accounts, C-Data has revealed to the required customers without reservation. A common use of customers happens when they need to modify the MAC address.

[The following figure shows how to log into C-Data OLT remotely with debug/debug124 and root/root126, and how to attempt to enter the shell mode prompt. In addition, OLT prompt only supports entering bcm-shell under the direct connection of CONSOLE.]

Another usage scenario of debug/debug124 and root/root126 is when C-Data provides remote technical support at the request of customer. All C-Data’s remote access obtained customer’s consent after consultation with customers. When operating, the operator need to log in to the customer’s computer remotely, then log in to the device using the local serial ports of these two accounts, and work with the customer for positioning analysis of network problems in this way. Customer’s technicians will participate in and supervise the process of technical services throughout the process.

As for whether there is an issue where an attacker logs into the CLI using these two accounts through TELNET and then changes the configuration of the OLT, resulting in network security problems, we will further explain it in the security policy later.

OLT telnet Account3：guest/[empty]

The account and password are the account of factory default configuration, which can only check some basic information of OLT, and without having the authority to configure any OLT. The user can delete or modify the account as needed when using it.

Solution: As the FD11XX series OLT is the first generation models of C-DataOLT, the account and password rules of which are not fully considered. The default password is fixed and too simple, which may be taken advantage by criminals. C-Datawill immediately update and release the software version of this OLT product. In the latest version, the debugging account will no longer adopt the general fixed password, and the password will be generated by a special password generation tool according to the unique identification code bound to the device. If there is no unique identification code information of the device or password generation tool, the password cannot be obtained.

More Secure Cryptographic Mechanism

For other models of C-Data OLTs(OLT named FD15XX, FD16XX, FD12XX, FD8000), the problem of “Backdoor Access with telnet” does not exist, because these OLTs adopt a more secure cryptographic mechanism. The device is configured with several general accounts by factory default, including root/admin, admin/admin and guest/guest, which can be used by customers to initially configure OLT. Customers need to create, delete and modify the login account and password of the device according to their own security policies when using the device. We do not recommend using the factory default username and password in the operation network.

The device retains a debugging account for assisting customers in debugging and solving problems, and this account can also be used by customer to find the forgotten password when they forget the login password of OLT. However, the account no longer uses the general password, and the password is calculated and generated according to the unique identification information of the customer’s OLT. Only when the customer provides the information of unique identification code in conjunction with the special password generation tool can the password be generated. The password of each OLT is different, which will better ensure the safety of the device.

The Requirement of WEB Login Management

The user name and password displayed in this article are actually the needs of numerous users. The account and password are the login user name and password in the web management interface of OLT. As many customers feedback that some of their junior maintenance personnel may easily forget login the username and password  of OLT’s WEB management interface, and hope that higher-level managers can query the username and password of the WEB through OLT CLI, we provide this command at the customer’s request, so that customers can check the login username and password of the WEB by themselves through the command line. We believe that the customer can formulate an effective security management system, properly manage the use of usernames and passwords to avoid the risk of using this command.

Security strategies and suggestions

The article introduces several schemes that can be used to attack the C-DataOLT after knowing the account and password of C-Data’s “Backdoor Access with telnet” from the perspective of network security risks. C-Databelieves that the majority of customers have a set of measures suitable for their own defense against cyber-attack. The following will list the common measures to defend against cyber-attack on the customer’s side. These measures can protect the OLT from the following attack means mentioned in the article:

* Escape shell with root privileges

* Pre-Auth Remote DoS

* Credentials infoleak and credentials in clear-text (HTTP)

* Weak encryption algorithm

* Insecure management interfaces

Defense Strategy 1: In general network planning, all OLT management VLANs and service VLANs on the client-side are different. If the management VLAN used by the attacker is incorrect, this kind of planning makes it impossible to access the OLT equipment from the network-side of the OLT (uplink) or the user side (downlink to ONU).

Defense strategy 2: OLT is used as an access layer device. For many small and medium-sized ISPs, OLT is usually deployed on the intranet of its network. When the intranet goes to the public network, it will pass through the router or firewall device. Services such as telnet and http are disabled on the router and firewall equipment; Those who access the OLT are employees who have access to the OLT in the customer’s intranet; Indeed, if there are other personnel who need to access the OLT device in the intranet via the public network, they need to do port forwarding on the router or firewall, and only the customer knows the forwarding rules, so it is difficult for the attacker to obtain information and carry out attack.

Defense strategy 3: The OLT of C-Data has made a lot of control strategies, which are set by the customers themselves, and it can completely prevent network attackers from illegally logging into the device:

OLT configuring strategy 1:

It can be controlled by the OLT’s system access-control to allow certain specific IP addresses or mac to access the OLT device configured by the customer and is completely unknown to others.

OLT configuring  strategy 2:

The OLT’s outband acess can be turned on or off by the customer. Customers can turn off outband management and use inband management. In this case, device management is achieved through a dedicated management channel separated from business data, thus the network security is higher.

OLT configuring strategy 3:

OLT’s Web access port can be modified by the customer and can be closed and opened by the customer.

OLT configuring strategy 4:

The OLT can be configured with a perfect acl function to prevent the device from being attacked easily.

Conclusion

The article by Pierre Kim and Alexandre Torres did summarize in detail, and seriously tests C-Data’s device from the perspective of security vulnerabilities. The original intention of the original article was to feedback security vulnerabilities in the device, so that technicians and users notice security risks and carry out effective security precautions, not the meaning of “OLT device backdoor” when the media relayed the dissemination, and should not be interpreted as C-Data intentionally left a backdoor on the product. C-Data expects that products will give customers the best experience and make it more convenient for them to use the device. C-Data has the ability to help customers better establish defense strategies in cyber security. C-Data also welcomes all parties to put forward reasonable suggestions, so that C-Data device can give more consideration to customers’ safety issues and confusion when using the device under the premise of providing convenience and practicality to customers. Thank you!

Apendix:

Original source of the document:

https://pierrekim.github.io/blog/2020-07-07-C-Data-olt-0day-vulnerabilities.html

Online Media Reprint:

https://www.zdnet.com/article/backdoor-accounts-discovered-in-29-ftth-devices-from-chinese-vendor-c-data/