An anonymous researcher, via vpnMentor, recently disclosed two vulnerabilities in several older models of Dasan-made GPON routers. The first is an authentication bypass, which can be used to trigger the second vulnerability, which allows remote code execution (RCE).
The first vulnerability can be triggered simply by appending the string
?images/ to a URL ending in
/GponForm/, which allows the attacker to bypass the authentication process, and from there, trigger the remote code execution.
These vulnerabilities proved to be a tempting target for attackers who would love nothing better than to take control of these vulnerable routers and add them to their botnets.
In fact, within a day of the disclosure, there were reports of the vulnerabilities being exploited in the wild. Just a few weeks later, it looks like at least five botnets, including Mirai, are working to take advantage of these bugs, according to researchers at Netlab 360.
Just how big of an impact might these vulnerabilities have? It’s the topic of debate between the researcher who found the vulnerability and Dasan, which sold the routers to ISPs in several countries.
In a blog post, the researcher states that the vulnerability is present in all GPON routers they tested, potentially resulting in “an entire network compromise.” By citing a simple Shodan search for GPON devices, they determine that over a million devices are potentially affected.
But Dasan doesn’t agree with the researcher’s findings. In an official statement, Dasan says the vulnerability is present in only two series of routers released nine years ago which, given their age, are no longer supported. Dasan’s own estimates put the number of devices affected under 240,000 – a far cry from the original researcher’s estimate of nearly a million.
Regardless of which number is more accurate, the nine-year-old routers are likely toiling away in a dusty corner somewhere, and unlikely to be patched until they completely stop working and get replaced.
A quick search on Shodan reveals that these devices are primarily in use in Mexico, Kazakhstan, and Vietnam, with several thousand devices active in Russia and Nigeria as well. It’s unsurprising then that one of the botnets took advantage of IPs in Vietnam to propagate. According to Netlab 360, right now the botnets are merely working to gain territory and are not actively planting malicious code, but that could always change.
Dasan says that anyone who has an affected GPON router has been contacted and informed of the flaws.
It will be up to the discretion of each customer to decide how to address the condition for their deployed equipment.
In case the choice isn’t to bin the router and get a new one, there is a patch available, but there’s a big catch: it’s not from Dasan, as the company hasn’t released its own patch and hasn’t indicated if it ever will. The patch was made by the researcher who disclosed the bug in the first place.
There are risks in using a third-party patch and each user will have to balance those against the costs and risks of not patching at all, attempting to quarantine the device or simply replacing it with something newer and easier to update.