sb-au logo
Story image

C-DATA OLT firmware has intentional backdoors, allege researchers

13 Jul 2020

A range of optical line termination (OLT) devices made by China-based manufacturer and vendor C-DATA may be riddled with vulnerabilities and backdoors.

These OLT devices provide fibre-to-the-home (FTTH) connectivity to clients through optical network terminals (ONTs).  These devices are commonly used by telecommunications and internet service providers to deliver internet to their customers.

Security researchers Pierre Kim and Alexandre Torres published details of the vulnerabilities in a blog last week, stating that the OLTs have evident backdoors that could allow an attacker to take over with complete administrator access.

The affected C-Data OLTs are badged as different brands including BLIY, Cdata, OptiLink, and V-SOL CN. According to the researchers, all available OLT models across these brands are affected.

The researchers used two OLT devices, the FD1104B and FD110SN and the relevant up-to-date firmware versions ((V1.2.2 and 2.4.05_000, 2.4.04_001 and 2.4.03_000 respectively) to validate the vulnerabilities.

One vulnerability relates to a telnet server running in the device. It is accessible from the WAN interface and from the FTTH LAN interface (from the ONTs). allows attackers to gain CLI access using a number of different login credentials. These credentials differ depending on what firmware the device is running.

After an attacker has gained CLI access, they can then access administrator credentials by running a simple command.

The attacker can then conduct a command injection within the CLI, which allows an attacker to execute commands as root.

Furthermore, an attacker can also execute denial of services, telnet credentials, web credentials, and SNMP communities.

Researchers say that the devices also include a weak custom encryption algorithm. 

Because the devices rely on remote management through HTTP, telnet and SNMP, there is no secure support through the likes of SSL/TLS for HTTP, or SSH.  The researchers say attackers can intercept passwords send in plain text, and then operate man-in-the-middle (MITM) attacks against the devices.

The researchers believe that some of these backdoors are not mistakes.

“Full disclosure is applied as we believe some backdoors are intentionally placed by the vendor,” they conclude.

As at 13 July 2020, C-Data has not made any public announcement about the vulnerabilities. 

The researchers name the affected devices below.

“Using static analysis, these vulnerabilities also appear to affect all available OLT models as the codebase is similar:

  • 72408A
  • 9008A
  • 9016A
  • 92408A
  • 92416A
  • 9288
  • 97016
  • 97024P
  • 97028P
  • 97042P
  • 97084P
  • 97168P
  • FD1002S
  • FD1104
  • FD1104B
  • FD1104S
  • FD1104SN
  • FD1108S
  • FD1204S-R2
  • FD1204SN
  • FD1204SN-R2
  • FD1208S-R2
  • FD1216S-R1
  • FD1608GS
  • FD1608SN
  • FD1616GS
  • FD1616SN
  • FD8000
Story image
InfoTrust named Mimecast’s A/NZ Growth Partner of the Year
The award reflects InfoTrust’s customer-centric approach with a focus on optimising ROI for customers’ security investments, the company says.More
Story image
Increased demand for cloud computing as organisations look to achieve business continuity - Aruba
The increase in remote working has also created a focus on cyber security for all businesses.More
Story image
Chillisoft nabs LogRhythm Distie of the Year for A/NZ
The specialist cybersecurity distributor has made great strides in LogRhythm sales and support since signing with them a year and a half ago.More
Story image
Cloud breaches set to increase in velocity and scale - Accurics
“While the adoption of cloud native infrastructure such as containers, serverless, and servicemesh is fuelling innovation, misconfigurations are becoming commonplace and creating serious risk exposure for organisations."More
Story image
Forescout and ServiceNow advance tech partnership to protect critical infrastructure
Forescout and ServiceNow have announced they are advancing their partnership for enhanced operational technology (OT) and industrial IoT capabilities, with an aim of helping organisations to protect critical infrastructure from cyber threats.More
Link image
True SASE. True zero trust. True cloud.
Secure Access Service Edge (SASE) is the new way of unifying security. Use the combined power of threat protection and data loss prevention to protect data, users, and systems safe when people are now working from almost anywhere.More