Beetel 777VR1 Broadband Router UART Interface Access Control Vulnerability

A critical vulnerability has been identified in the Beetel 777VR1 broadband router, specifically in the production firmware versions 01.00.09 and 01.00.09_55. The issue arises from the UART interface, which exposes unrestricted access to high-risk diagnostic and control commands. These commands, intended for development or manufacturing use, are fully functional in the production environment and bypass secure boot policies and hardware restrictions. The vulnerability allows arbitrary read and write operations to physical memory, execution control, and extraction of firmware via TFTP, enabling a complete compromise of the device.

Impact

Exploitation of this vulnerability allows for the extraction of the device's firmware, modification of memory or flash contents to introduce persistent malicious code, and bypassing of the firmware trust chain, leading to a compromise that survives reboots and firmware resets.

Reproduction

The vulnerability can be reproduced by accessing the bootloader console via UART. Once in the bootloader interface, the unrestricted commands can be executed, including arbitrary memory read and write operations, firmware extraction through TFTP, and other potentially dangerous commands.

Remediation

It is recommended to remove or disable high-risk bootloader commands in the production firmware, restrict bootloader functionality based on the hardware lifecycle state, enforce secure boot and signed firmware validation, and lock or fuse bootloader debug features prior to deployment.