[Lista ArNOG] Over a Million Dasan Routers Vulnerable to RemoteHacking

Jose Luis Gaspoz gaspozj en is.com.ar
Vie Mayo 4 15:37:50 ART 2018 

Desgraciadamente son vulnerables.... las Zhone puede que tambien (ya levanté un caso).

Nosotros por suerte tenemos un bridge aislado de datos con otra VLan y la administracion de las ONUs esta volcado a ese puerto, por lo tanto la administración no esta en el canal de datos, no obstante si levantas un CPE Manager a una ONU cualquiera y entras via forwarder del puerto correspondiente a la OLT, podes acceder al /images sin validacion....   (obviamente no encuentra el archivo porque no esta apuntado)




Saludos

Ing. Jose Luis Gaspoz
Internet Services S.A.
Tel: 0342-4565118
Cel: 342-5008523

From: Andres P 
Sent: Friday, May 04, 2018 2:26 PM
To: lista en arnog.com.ar 
Subject: [Lista ArNOG] Over a Million Dasan Routers Vulnerable to RemoteHacking

Para vuestra información por si alguien de la lista compra estas ONUs chinas. 

Saludos Andres Pugawko 


---------- Forwarded message ---------
From: Lucimara Desiderá <lucimara en cert.br>
Date: vie., 4 de may. de 2018 1:56 p.m.
Subject: [lacnog] Over a Million Dasan Routers Vulnerable to Remote Hacking
To: <seguridad en lacnic.net>, Latin America and Caribbean Region Network Operators Group <lacnog en lacnic.net>



https://www.securityweek.com/over-million-dasan-routers-vulnerable-remote-hacking

Over a Million Dasan Routers Vulnerable to Remote Hacking
By Eduard Kovacs on May 02, 2018


Researchers have disclosed the details of two unpatched vulnerabilities
that expose more than one million home routers made by South Korea-based
Dasan Networks to remote hacker attacks.

In a blog post published on Monday, vpnMentor revealed that many
Gigabit-capable Passive Optical Network (GPON) routers, which are used
to provide fiber-optic Internet, are affected by critical
vulnerabilities. The company told SecurityWeek that the impacted devices
are made by Dasan Networks.

One of the flaws, tracked as CVE-2018-10561, allows a remote attacker to
bypass a router’s authentication mechanism simply by appending the
string “?images/” to a URL in the device’s web interface.

The second vulnerability, identified as CVE-2018-10562, allows an
authenticated attacker to inject arbitrary commands.

By combining the two security holes, a remote and unauthenticated
attacker can take complete control of a vulnerable device and possibly
the entire network, vpnMentor said. The company has published a video
showing how the attack works:

A Shodan search shows that there are more than one million GPON home
routers exposed to the Internet, a majority located in Mexico (480,000),
Kazakhstan (390,000), and Vietnam (145,000).

“Depending on what the attacker wants to achieve, he can be spying on
the user and any connected device (TV, phones, PC and even speakers like
Amazon Echo). Also he can inject malware into the browser which means
even when you leave your home network your device would be hacked now,”
Ariel Hochstadt, co-founder of vpnMentor, told SecurityWeek. “If the
hacker is resourceful (government etc) he can enable advanced spear
phishing attacks, and even route criminal activities through exploited
routers (Imagine the FBI knocks on your door telling you they saw
someone in your house using your IP address and selling stolen credit
card numbers on the dark web).”

vpnMentor said it did try to report its findings to Dasan before making
any information public, but it did not receive a response. Dasan
representatives, specifically a PR agency, reached out to vpnMentor on
LinkedIn after its blog post was published.

While in some cases Dasan has shown interest in working with researchers
who discovered vulnerabilities in its products, there are some
advisories online describing potentially critical issues that the vendor
has apparently ignored.

Malicious actors have been known to target Dasan devices. Researchers
reported recently that the Satori botnet had ensnared thousands of Dasan
routers by exploiting a remote code execution vulnerability. The flaw in
question was disclosed in December 2017 by Beyond Security, which
claimed the vendor had ignored repeated attempts to report the issue.

This is not the first time vpnMentor reports finding vulnerabilities in
network devices. Last month, the company disclosed the details of an
unpatched command injection vulnerability that can be exploited to take
control of network-attached storage (NAS) devices from LG.
_______________________________________________
LACNOG mailing list
LACNOG en lacnic.net
https://mail.lacnic.net/mailman/listinfo/lacnog
Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog


     Libre de virus. www.avg.com  



--------------------------------------------------------------------------------
_______________________________________________
Lista mailing list
Lista en arnog.com.ar
http://mailmancabase.interdotnet.com.ar/mailman/listinfo/lista
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <http://mailmancabase.interdotnet.com.ar/pipermail/lista/attachments/20180504/6cff486e/attachment-0001.html>
------------ próxima parte ------------
A non-text attachment was scrubbed...
Name: wlEmoticon-sadsmile[1].png
Type: image/png
Size: 1090 bytes
Desc: no disponible
URL: <http://mailmancabase.interdotnet.com.ar/pipermail/lista/attachments/20180504/6cff486e/attachment-0001.png>
------------ próxima parte ------------
A non-text attachment was scrubbed...
Name: Zhone%20Vulnerable[1].jpg
Type: image/jpeg
Size: 18214 bytes
Desc: no disponible
URL: <http://mailmancabase.interdotnet.com.ar/pipermail/lista/attachments/20180504/6cff486e/attachment-0001.jpg>

Más información sobre la lista de distribución Lista