CVE-2021-27166 in HG6245D
Summary
by MITRE • 02/11/2021
An issue was discovered on FiberHome HG6245D devices through RP2613. The password for the enable command is gpon.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/28/2021
The vulnerability identified as CVE-2021-27166 affects FiberHome HG6245D devices operating with firmware version RP2613, representing a critical security flaw that compromises the device's administrative access controls. This issue stems from a hardcoded password configuration that exposes the device's privileged command interface to unauthorized access. The specific password 'gpon' serves as a backdoor credential that allows attackers to escalate privileges and gain full administrative control over the device, bypassing normal authentication mechanisms.
This vulnerability falls under the category of hardcoded credentials as classified by CWE-259, specifically CWE-798, which addresses the use of hard-coded passwords or keys in software applications. The flaw represents a fundamental design error in the device's security architecture, where default credentials are not only predictable but explicitly documented within the device's operational parameters. The presence of such hardcoded credentials creates an inherent risk that persists across device deployments and updates, making it particularly dangerous in production environments where these devices may be exposed to external networks.
The operational impact of this vulnerability extends beyond simple unauthorized access, as it provides attackers with complete control over the device's configuration and management functions. Once an attacker gains access using the hardcoded password, they can modify network settings, configure port forwarding rules, install malicious firmware, or establish persistent backdoors within the network infrastructure. This represents a significant threat to network security as the HG6245D device typically serves as a customer premises equipment (CPE) device that may be directly accessible from the internet or connected to internal networks, providing attackers with potential lateral movement opportunities.
From a threat modeling perspective, this vulnerability aligns with several ATT&CK techniques including T1078.004 (Valid Accounts: Default Accounts) and T1566.001 (Phishing: Spearphishing Attachment) as attackers can leverage this weakness to establish persistent access. The device's exposure to unauthorized access creates a vector for various attack chains including network reconnaissance, privilege escalation, and potentially lateral movement within the affected network. Organizations using these devices may experience unauthorized network modifications, data exfiltration attempts, or use of the device as a pivot point for attacking other network segments.
Mitigation strategies for this vulnerability require immediate action to address the hardcoded credential issue. Device administrators should implement network segmentation to isolate these devices from critical network segments and ensure they are not directly exposed to external networks. The most effective remediation involves updating the device firmware to a version that removes or changes the hardcoded password, though this requires verification that the update process itself is secure and authentic. Network monitoring should be enhanced to detect unauthorized access attempts, and regular security audits should verify that no unauthorized changes have been made to device configurations. Additionally, implementing network access controls and firewall rules to restrict access to management interfaces can help reduce the attack surface, though the fundamental issue requires firmware-level remediation to provide complete protection against exploitation attempts.