Calix GigaCenter ONT Insecure Storage of Sensitive Information Vulnerability

A vulnerability exists in the Calix GigaCenter ONT models 844E, 844G, 844GE, and 854GE, all utilizing Quantenna SoC modules. This vulnerability arises from the insecure storage of sensitive information, specifically credentials, in the device's firmware. The WPA2 pre-shared key and weakly hashed administrative credentials for the Quantenna web interface are stored in plaintext, allowing physical access to the device to recover these credentials and gain unauthorized access to the network and device management.

Impact

Exploitation of this vulnerability allows for unauthorized access to the Quantenna web application using extracted administrative credentials, as well as access to the WPA2 pre-shared key, facilitating unauthorized network access.

Reproduction

The vulnerability can be reproduced by physically accessing the device and extracting the firmware from the SPI flash memory using a CH341 programmer. After extracting the JFFS2 file system from the firmware, the WPA2 password can be recovered from the hostapd.conf file. Additionally, administrative credentials for the Quantenna web application can be retrieved from the admin.conf file by cracking the weak MD5 hashes using a common password dictionary. The extracted 'super' user credentials can then be used to access the Quantenna web application.

Remediation

Users can update to the R12.2.13.4 patch, available to authorized users, to address this vulnerability. Those with concerns about the security of their ONT devices should contact their Broadband Service Provider to request the update.