Beetel 777VR1 Missing Authentication Vulnerability in UART Interface

A vulnerability allowing unauthorized access to the bootloader console via the UART interface has been identified in the Beetel 777VR1 broadband router, specifically in firmware versions through 01.00.09/01.00.09_55. This vulnerability arises from a lack of authentication in the bootloader, which is based on Realtek RTL8685S. The issue can be exploited by physically accessing the device and interrupting the boot process, although such an attack is considered complex and difficult to execute.

Impact

Exploitation of this vulnerability allows for full pre-operating system control of the device, bypassing all operating system-level security. This unrestricted access can lead to a complete compromise of the device's integrity and trust, invalidating any security measures implemented by the firmware or operating system.

Reproduction

To reproduce this vulnerability, physically access the Beetel 777VR1 router's UART interface. During the early stages of the boot process, interrupt the sequence by pressing the 'ESC' key. This action will grant immediate access to the bootloader console, which lacks any authentication or access controls.

Remediation

It is recommended to require authentication before granting access to the bootloader console, disable interactive bootloader consoles in production firmware, enforce secure boot and signed firmware verification, and restrict or remove mechanisms that allow interruption of the boot process on deployed devices.