CVE-2019-3918
📋 TL;DR
The Alcatel Lucent I-240W-Q GPON ONT contains hard-coded credentials for Telnet and SSH interfaces, allowing attackers to gain unauthorized access to the device. This affects all devices running firmware version 3FE54567BOZJ19. Attackers can use these credentials to log in without needing to know user-configured passwords.
💻 Affected Systems
- Alcatel Lucent I-240W-Q GPON ONT
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the ONT device allowing attackers to reconfigure network settings, intercept traffic, disable services, or use the device as a pivot point into the internal network.
Likely Case
Unauthorized access to the device leading to configuration changes, service disruption, or information gathering about the network environment.
If Mitigated
Limited impact if Telnet/SSH interfaces are disabled or network access is restricted, though the vulnerability remains present in the firmware.
🎯 Exploit Status
Exploitation requires only knowledge of the hard-coded credentials and network access to Telnet/SSH interfaces. The credentials are publicly documented in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Later firmware versions (specific version not specified in references)
Vendor Advisory: https://www.tenable.com/security/research/tra-2019-09
Restart Required: Yes
Instructions:
1. Contact Alcatel Lucent or your ISP for updated firmware. 2. Backup current configuration. 3. Apply firmware update via web interface or management system. 4. Verify new firmware version. 5. Restart device.
🔧 Temporary Workarounds
Disable Telnet and SSH services
allDisable the vulnerable Telnet and SSH interfaces to prevent credential-based access
Access device web interface -> Network -> Services -> Disable Telnet and SSH
Network access control
linuxRestrict network access to Telnet (port 23) and SSH (port 22) using firewall rules
iptables -A INPUT -p tcp --dport 23 -j DROP
iptables -A INPUT -p tcp --dport 22 -j DROP
🧯 If You Can't Patch
- Disable Telnet and SSH services completely if not required
- Implement strict network segmentation and firewall rules to restrict access to the device management interfaces
🔍 How to Verify
Check if Vulnerable:
Check firmware version in web interface or via CLI. Attempt to authenticate to Telnet/SSH using documented hard-coded credentials.Check Version:
telnet [device_ip] 23 or ssh admin@[device_ip] then check version in interfaceVerify Fix Applied:
Verify firmware version is updated from 3FE54567BOZJ19. Test that hard-coded credentials no longer work for authentication.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful login with default credentials
- Multiple login attempts from unusual IP addresses
- Configuration changes from unauthorized users
Network Indicators:
- Telnet/SSH connections to the device from unexpected sources
- Traffic patterns indicating device reconnaissance
SIEM Query:
source="ONT_logs" (event_type="authentication" AND result="success" AND user IN ["admin", "root", "support"]) OR (event_type="configuration_change" AND user NOT IN [authorized_users])