Serious vulnerability in GPON devices leaves users wide open to compromise

A critical authentication flaw in more than one million routers can easily allow remote code execution (RCE), researchers have discovered.

Numerous Gigabit Passive Optical Network (GPON) home routers are vulnerable to the exploit, which can enable an attacker to bypass the router’s login.

A malicious actor would have to simply add ?images/ to the end of a URL to exploit the bug in the HTTP server.

They would then have complete control over the router and the network, allowing a hacker to execute code on the device.

The flaw (CVE-2018-10561) was discovered by a security team at VPN Mentor, who also discovered a command injection vulnerability (CVE-2018-10562) during their investigation.

“When combined, [these vulnerabilities] allow complete control on the device and therefore the network,” the firm said.

VPN Mentor demonstrated in a blog post how easy it is to bypass the authentication and take over one of the routers.

At the time of writing, there are just over one million of these affected routers in use worldwide.

The team tested a random selection of GPON devices built by manufacturer Dasan Zhone Solutions for the vulnerability and found that it was present in all of them.

But they claimed the company has failed to respond to their disclosure.

They also warned that the issue could result in an entire network compromise.

Ariel Hochstadt of VPN Mentor spoke to The Daily Swig about the findings and advised GPON users to switch to another device until the problem is solved.

DS: Is there any way that people using these routers can prevent against an RCE attack?

Ariel Hochstadt: Not really. I would advise to use a VPN so that even if the attacker get holds of your network, he will not be able to know what sites you are using.

Some VPNs, like NordVPN with their CyberSec function, supply similar functionality to antivirus software, which can help in preventing malware injection.

But the attacker can still use your network for criminal actions without you knowing – even if you use a VPN and your identity is hidden.

DS: What are the ramifications of a hack leveraging this vulnerability?

AH: Depending on what the attacker wants to achieve, he can be spying on the user and any connected device (TV, phones, PC, and even speakers like those in the Amazon Echo).

Also, he can inject malware into the browser, which means that even when you leave your home network, your device would be hacked.

If the hacker is resourceful, he can enable advanced spear phishing attacks, and even route criminal activities through exploited routers.

DS: What was the manufacturer’s response to your report?

AH: Regretfully we are getting used to corporations not responding until we actually publish the piece.

We specifically asked to be contacted by a security official, but no one has contacted us.

Only after the post went live, we received a LinkedIn request to get in touch from a PR agency working with the manufacturer, and we replied but have not yet had another email.

DS: In lieu of a response from the vendor, what would you advise people who use this router to do?

AH: Firstly, check if your router uses the GPON network.

Be aware that GPON routers can be hacked and exploited, so maybe switch your router until this is fixed.

Talk to your internet service provider to see what they can do to fix the bug, but we don't really expect to see an easy solution here.

DS: In the previous report regarding VPNs leaking IP addresses, you worked together with ethical hackers – was this the case with the latest report?

AH: Yes. We can't disclose the identity of the people, but our research team includes ethical hackers (two this time) who are highly skilled.

In fact, they would make more money selling this report on the dark web than working for us, but they actually care about the safety of the internet.