CVE-2021-27165
📋 TL;DR
CVE-2021-27165 is a critical authentication bypass vulnerability affecting FiberHome HG6245D optical network terminals. Attackers can exploit hardcoded telnet credentials (gpon/gpon) to gain unauthorized administrative access to affected devices. This affects all FiberHome HG6245D devices through firmware version RP2613.
💻 Affected Systems
- FiberHome HG6245D
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing attackers to intercept/modify network traffic, deploy persistent malware, pivot to internal networks, or disable internet connectivity for all connected users.
Likely Case
Unauthorized administrative access leading to network traffic monitoring, DNS hijacking, credential theft, and potential lateral movement to connected devices.
If Mitigated
Limited impact with proper network segmentation and telnet disabled, though device remains vulnerable to local network attacks.
🎯 Exploit Status
Simple telnet connection with hardcoded credentials. No special tools or skills required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware versions after RP2613
Vendor Advisory: https://www.fiberhome.com/security/ (vendor advisory not publicly accessible)
Restart Required: Yes
Instructions:
1. Contact ISP for firmware update. 2. Download latest firmware from ISP portal. 3. Access device admin interface. 4. Navigate to firmware update section. 5. Upload new firmware file. 6. Wait for automatic reboot.
🔧 Temporary Workarounds
Disable Telnet Service
linuxDisable telnet daemon to prevent credential-based attacks
telnetd -l /bin/sh -p 23 (to check if running)
killall telnetd
remove telnetd from startup scripts
Block Telnet Port
linuxUse firewall rules to block telnet port 23
iptables -A INPUT -p tcp --dport 23 -j DROP
iptables -A OUTPUT -p tcp --dport 23 -j DROP
🧯 If You Can't Patch
- Segment affected devices on isolated VLAN to limit lateral movement
- Implement network monitoring for telnet connections to port 23
🔍 How to Verify
Check if Vulnerable:
Attempt telnet connection: 'telnet [device_ip] 23' then enter credentials 'gpon'/'gpon'. If login succeeds, device is vulnerable.Check Version:
telnet [device_ip] 23, login with admin credentials, then run 'cat /etc/version' or check web interfaceVerify Fix Applied:
Attempt telnet login with gpon/gpon credentials - should fail. Check firmware version is newer than RP2613.📡 Detection & Monitoring
Log Indicators:
- Failed telnet authentication attempts
- Successful telnet logins from unexpected sources
- Multiple telnet connection attempts
Network Indicators:
- Telnet traffic to port 23 from external IPs
- Unusual telnet session durations
- Telnet connections followed by suspicious commands
SIEM Query:
source="firewall" dest_port=23 AND (action="allow" OR status="success")