Calix GigaCenter ONT Unauthenticated Telnet Access Vulnerability Granting Root Privileges

A vulnerability allowing unauthenticated Telnet access has been identified in the Calix GigaCenter ONT models 844E, 844G, 844GE, and 854GE. This vulnerability arises from the Telnet service being exposed via the Quantenna interface IP, after the Broadcom System-on-Chip completes its initialization. The exposed Telnet service allows unauthorized users to gain root access to the device.

Impact

Exploitation of this vulnerability provides unauthorized root access to the affected device via the Telnet service.

Reproduction

To reproduce this vulnerability, first scan the Quantenna interface IP address for open Telnet ports using Nmap. Once the Telnet service on port 23 is confirmed active, initiate a Telnet session to the same IP address. When prompted for a username, enter 'admin' or 'root'. No password is required for these accounts, as they do not have passwords set. This can be verified by checking the '/etc/shadow' file on the device.

Remediation

The vulnerability has been patched in the R12.2.13.4 update, available to authorized users. Users should contact their Broadband Service Provider to request the update.