Login Sign Up

CVE-2019-13411

10.0 CRITICAL
Remote Code Execution

📋 TL;DR

This critical vulnerability in HiNet GPON firmware allows unauthenticated remote attackers to execute arbitrary commands through port 3097. It affects HiNet GPON devices running firmware versions before I040GWR190731. Attackers can gain complete control of affected devices from anywhere on the internet.

💻 Affected Systems

Products:
  • HiNet GPON devices
Versions: All firmware versions before I040GWR190731
Operating Systems: Embedded firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Port 3097 is typically open by default on affected devices. The vulnerability is in the command handler for invalid commands.

📦 What is this software?

Gpon Firmware by Hinet

View all CVEs affecting Gpon Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the device allowing attackers to install persistent backdoors, pivot to internal networks, intercept/modify traffic, or use the device for botnet activities.

🟠

Likely Case

Remote code execution leading to device takeover, credential theft, network reconnaissance, and potential lateral movement to other systems.

🟢

If Mitigated

If properly firewalled and network segmentation is in place, impact limited to the specific device with no lateral movement.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication and affects internet-facing network devices.
🏢 Internal Only: MEDIUM - Still exploitable from internal networks but requires attacker to have internal access first.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is simple to exploit with publicly available proof-of-concept code. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: I040GWR190731 or later

Vendor Advisory: https://www.twcert.org.tw/en/cp-128-3013-92adb-2.html

Restart Required: Yes

Instructions:

1. Download firmware version I040GWR190731 or later from vendor. 2. Backup current configuration. 3. Apply firmware update through device management interface. 4. Reboot device. 5. Verify firmware version.

🔧 Temporary Workarounds

Block port 3097 at firewall

linux

Block external access to port 3097 on affected devices

iptables -A INPUT -p tcp --dport 3097 -j DROP
iptables -A INPUT -p udp --dport 3097 -j DROP

Network segmentation

all

Isolate GPON devices in separate VLAN with restricted access

🧯 If You Can't Patch

  • Implement strict firewall rules blocking all external access to port 3097
  • Monitor network traffic to port 3097 for suspicious activity and implement IDS/IPS rules

🔍 How to Verify

Check if Vulnerable:

Check firmware version via device management interface or CLI. If version is earlier than I040GWR190731, device is vulnerable.

Check Version:

Check via device web interface or vendor-specific CLI commands (varies by device model)

Verify Fix Applied:

Verify firmware version shows I040GWR190731 or later in device management interface.

📡 Detection & Monitoring

Log Indicators:

  • Unusual connections to port 3097
  • Unexpected command execution logs
  • Failed authentication attempts to device management

Network Indicators:

  • Traffic to port 3097 from unexpected sources
  • Unusual outbound connections from GPON devices
  • Command injection patterns in network traffic

SIEM Query:

source_port:3097 OR dest_port:3097 AND (event_type:connection OR event_type:firewall)

📊 Metadata

CVE ID: CVE-2019-13411
CVSS v3 Score: 10.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Published: October 17, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON