Calix GigaCenter ONT Excessive Privileges Vulnerability Allowing Unauthenticated Root Access

A vulnerability allowing excessive privileges has been identified in the Calix GigaCenter ONT models 844E, 844G, 844GE, 854GE, 812G, 813G, and 818G. This vulnerability arises from the router's firmware design, which permits unauthenticated root access through the UART debugging interface connected to the Broadcom SoC. The UART console lacks authentication, enabling an individual with physical access to the device to gain full control of the system.

Impact

Exploitation of this vulnerability provides unauthorized root access to the affected device via the UART interface, allowing full control over the system. This access can be used to view and modify sensitive information, such as user accounts and configuration files, and to alter the device's firmware or web application code. Additionally, with root privileges, an attacker could create backdoors, change system services, and make persistent modifications to the firmware.

Reproduction

To reproduce this vulnerability, disassemble the router and identify the UART interfaces. Connect to the UART interface near the Broadcom SoC, setting the baud rate to 115200. This connection can be established using a USB-to-UART interface, such as a Bus Pirate or FTDI, which will provide access to a root shell. Once root access is obtained, confidential information can be accessed and the system modified, taking advantage of the elevated privileges.

Remediation

The vulnerability has been patched in version R12.2.13.4, which is available to authorized users. Subscribers should contact their Broadband Service Provider to request the update.