Introduction
Document Number
ENG-010610
Purpose
This document documents the reasons why the Tellabs ONTs are not vulnerable two vulnerabilities found in certain Dasan GPON Home Routers.
Applies To
Applies to all Tellabs ONTs regardless of software or hardware version.
Vulnerability Descriptions
CVE-2018-10561 - An issue was discovered on Dasan GPON home routers. It is possible to bypass authentication simply by appending "?images" to any URL of the device that requires authentication, as demonstrated by the /menu.html?images/ or /GponForm/diag_FORM?images/ URI. One can then manage the device.
CVE-2018-10562 - An issue was discovered on Dasan GPON home routers. Command Injection can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html, it's quite simple to execute commands and retrieve their output.
None of the Tellabs ONTs of any make or model are susceptible to either of these vulnerabilities for the following reasons.
- No Tellabs Data ONT (i.e. those with no analog voice ports) has an IP address and therefore these ONTs are not accessible at all from any port on the device and can only be managed or accessed from the GPON OMCI interface. Therefore, there is no possibility of any of these ONTs having these vulnerabilities.
- None of the Tellabs ONTs have an HTTP interface which is required for these exploits to work.
- The vulnerability is specific to certain Dasan-Zhone ONTs and how their HTTP interfaces were constructed. Tellabs does not use Dasan-Zhone ONTs.
It should be noted that all Tellabs ONTs are regularly scanned with each release and any vulnerabilities found are addressed. Since the ONTs have been locked down and all external interfaces closed vulnerabilities of this type are note even possible.