Calix GigaCenter ONT Excessive Privileges Vulnerability Allowing Unauthenticated Root Access via UART

A vulnerability allowing excessive privileges has been identified in the Calix GigaCenter ONT models 844E, 844G, 844GE, 854GE, 812G, 813G, and 818G, all utilizing Quantenna SoC modules. This vulnerability arises from the firmware design, which permits unauthenticated root access through the UART debugging interface connected to the Quantenna SoC. The UART console requires no credentials, enabling an individual with physical access to the device to gain full control of the system.

Impact

Exploitation of this vulnerability provides unauthenticated root access to the device via the UART interface, allowing full control over the system. This access can be used to view and modify sensitive information, such as user accounts and configuration files, and to make persistent changes to the firmware. Additionally, root access could be used to create backdoors or alter system services.

Reproduction

To reproduce this vulnerability, disassemble the router and identify the UART interfaces. Connect to the UART interface near the Quantenna SoC and Serial Flash memory with a USB to UART interface, such as a Bus Pirate or FTDI, set the baud rate to 115200, and access the root shell. This connection bypasses authentication, granting full control over the device.

Remediation

The vulnerability has been patched in version R12.2.13.4, available to authorized users. Users should contact their Broadband Service Provider to request the update.