Critical flaws could bypass authentication and allow code injection

An unofficial patch has been released for two critical bugs found in some Dasan home routers that allowed remote code execution (RCE), as the manufacturer claims fewer devices were vulnerable to attack than originally reported.

Discovered earlier this month by a security team working with VPN Mentor, the flaws (CVE-2018-10561 and CVE-2018-10562) can enable attackers to bypass the authentication to access the routers – a million of which were estimated to be in use globally.

In lieu of an immediate fix from the vendor, VPN Mentor issued its own patch for the bug last week.

This comes as the manufacturer, Dasan, told The Daily Swig that the number of devices affected – 240,000 – was less than reported originally.

A statement released by Dasan read: “Dasan Zhone Solutions, Inc. has investigated recent media reports that certain DZS GPON Network Interface Devices (NIDs), more commonly known as routers, could be vulnerable to an authentication bypass exploit.

“DZS has determined that the ZNID-GPON-25xx series and certain H640series GPON ONTs, when operating on specific software releases, are affected by this vulnerability.

“No service impacts from this vulnerability have been reported to DZS to date.

“After an internal investigation, we have determined the potential impact is much more limited in scope than previously reported in the media.

“According to DZS sales records, combined with field data gathered to date, we have estimated that the number of GPON ONT units that may be potentially impacted to be less than 240,000.

“In addition, given the relative maturity of the products in their lifecycle, we think the impact is limited to even fewer devices.”

VPN Mentor issued the unofficial patch within days of going public with their findings, after claiming Dasan failed to respond to their disclosure.

Sarit Newman of VPN Mentor told The Daily Swig: “Since users are under attack, our research team worked throughout the entire weekend to try and create a patch for the routers. I’m proud to say they did it.

“It is critical that users know about the patch and can use it to fix their routers. We created a tool that allows them to do this, even if they don’t have a technical background.”

Third-party patch

The researchers found that certain Dasan Gigabit Passive Optical Network (GPON) home routers were vulnerable to the exploit, which could enable an attacker to bypass the router’s login.

A malicious actor would have to simply add ?images/ to the end of a URL to exploit the bug in the HTTP server.

They would then have complete control over the router and the network, allowing a hacker to execute code on the device.

Although VPN Mentor’s unofficial patch is now available, it carries a disclaimer stating that those who implement the script do so at their own responsibility.