CVE-2020-29058

Q: What is the severity of CVE-2020-29058?

CVE-2020-29058 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to retrieve cleartext web-server credentials by making specific CGI requests to affected CDATA optical line terminal devices. Attackers can gain administrative access to the web interface, potentially compromising the entire network device. Organizations using the listed CDATA OLT models are affected.

9.8 CRITICAL

📋 TL;DR

This vulnerability allows attackers to retrieve cleartext web-server credentials by making specific CGI requests to affected CDATA optical line terminal devices. Attackers can gain administrative access to the web interface, potentially compromising the entire network device. Organizations using the listed CDATA OLT models are affected.

💻 Affected Systems

Products:

CDATA 72408A
9008A
9016A
92408A
92416A
9288
97016
97024P
97028P
97042P
97084P
97168P
FD1002S
FD1104
FD1104B
FD1104S
FD1104SN
FD1108S
FD1204S-R2
FD1204SN
FD1204SN-R2
FD1208S-R2
FD1216S-R1
FD1608GS
FD1608SN
FD1616GS
FD1616SN
FD8000

Versions: All versions with vulnerable CGI scripts

Operating Systems: Embedded Linux-based firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web server component handling CGI requests. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full device compromise leading to network disruption, credential harvesting, lateral movement to connected networks, and persistent backdoor installation.

🟠

Likely Case

Unauthorized administrative access to the web interface, configuration changes, service disruption, and credential theft.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict access controls and network segmentation.

🌐 Internet-Facing: HIGH - Direct exposure allows credential harvesting without authentication.

🏢 Internal Only: HIGH - Internal attackers or compromised systems can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires simple HTTP requests to specific CGI endpoints. Public research includes detailed exploitation methods.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: No

Instructions:

Contact CDATA vendor for firmware updates. No official patch information available at time of analysis.

🔧 Temporary Workarounds

Block CGI Access

linux

Restrict access to /opt/lighttpd/web/cgi/ paths via firewall or web server configuration

iptables -A INPUT -p tcp --dport 80 -m string --string "/opt/lighttpd/web/cgi/" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "/opt/lighttpd/web/cgi/" --algo bm -j DROP

Network Segmentation

all

Isolate affected devices in separate VLANs with strict access controls

🧯 If You Can't Patch

Implement strict network access controls to limit device access to authorized administrators only
Monitor network traffic for suspicious CGI requests and implement intrusion detection rules

🔍 How to Verify

Check if Vulnerable:

Test by making HTTP GET requests to CGI endpoints like /cgi-bin/ endpoints on port 80/443 and checking for credential disclosure in responses

Check Version:

Check device web interface or console for firmware version information

Verify Fix Applied:

Verify CGI endpoints no longer return cleartext credentials when accessed

📡 Detection & Monitoring

Log Indicators:

Unusual access to CGI scripts
Multiple failed authentication attempts followed by CGI access
Administrative login from unexpected IP addresses

Network Indicators:

HTTP requests to /opt/lighttpd/web/cgi/ paths
Traffic patterns showing credential harvesting

SIEM Query:

source="web_server" AND (uri="*cgi*" OR uri="*/opt/lighttpd/web/cgi/*") AND status=200

📊 Metadata

CVE ID: CVE-2020-29058

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

Published: November 24, 2020

Last Updated: November 21, 2024

🔗 References

https://pierrekim.github.io/blog/2020-07-07-cdata-olt-0day-vulnerabilities.html Exploit,Third Party Advisory
https://pierrekim.github.io/blog/2020-07-07-cdata-olt-0day-vulnerabilities.html Exploit,Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

72408a Firmware by Cdatatec

72408a Firmware by Cdatatec

72408a Firmware by Cdatatec

72408a Firmware by Cdatatec

9008a Firmware by Cdatatec

9008a Firmware by Cdatatec

9008a Firmware by Cdatatec

9008a Firmware by Cdatatec

9016a Firmware by Cdatatec

9016a Firmware by Cdatatec

9016a Firmware by Cdatatec

9016a Firmware by Cdatatec

92408a Firmware by Cdatatec

92408a Firmware by Cdatatec

92408a Firmware by Cdatatec

92408a Firmware by Cdatatec

92416a Firmware by Cdatatec

92416a Firmware by Cdatatec

92416a Firmware by Cdatatec

92416a Firmware by Cdatatec

9288 Firmware by Cdatatec

9288 Firmware by Cdatatec

9288 Firmware by Cdatatec

9288 Firmware by Cdatatec

97016 Firmware by Cdatatec

97016 Firmware by Cdatatec

97016 Firmware by Cdatatec

97016 Firmware by Cdatatec

97024p Firmware by Cdatatec

97024p Firmware by Cdatatec

97024p Firmware by Cdatatec

97024p Firmware by Cdatatec

97028p Firmware by Cdatatec

97028p Firmware by Cdatatec

97028p Firmware by Cdatatec

97028p Firmware by Cdatatec

97042p Firmware by Cdatatec

97042p Firmware by Cdatatec

97042p Firmware by Cdatatec

97042p Firmware by Cdatatec

97084p Firmware by Cdatatec

97084p Firmware by Cdatatec

97084p Firmware by Cdatatec

97084p Firmware by Cdatatec

97168p Firmware by Cdatatec

97168p Firmware by Cdatatec

97168p Firmware by Cdatatec

97168p Firmware by Cdatatec

Fd1002s Firmware by Cdatatec

Fd1002s Firmware by Cdatatec

Fd1002s Firmware by Cdatatec

Fd1002s Firmware by Cdatatec

Fd1104 Firmware by Cdatatec

Fd1104 Firmware by Cdatatec

Fd1104 Firmware by Cdatatec

Fd1104 Firmware by Cdatatec

Fd1104b Firmware by Cdatatec

Fd1104b Firmware by Cdatatec

Fd1104b Firmware by Cdatatec

Fd1104b Firmware by Cdatatec

Fd1104s Firmware by Cdatatec

Fd1104s Firmware by Cdatatec

Fd1104s Firmware by Cdatatec

Fd1104s Firmware by Cdatatec

Fd1104sn Firmware by Cdatatec

Fd1104sn Firmware by Cdatatec

Fd1104sn Firmware by Cdatatec

Fd1104sn Firmware by Cdatatec

Fd1108s Firmware by Cdatatec

Fd1108s Firmware by Cdatatec

Fd1108s Firmware by Cdatatec

Fd1108s Firmware by Cdatatec

Fd1204s R2 Firmware by Cdatatec

Fd1204s R2 Firmware by Cdatatec

Fd1204s R2 Firmware by Cdatatec

Fd1204s R2 Firmware by Cdatatec

Fd1204sn Firmware by Cdatatec