CVE-2021-27167 – CVE-2021-27167 is a critical authentication byp... (How to Fix)

Q: What is the severity of CVE-2021-27167?

CVE-2021-27167 has a CVSS score of 9.8 (CRITICAL). CVE-2021-27167 is a critical authentication bypass vulnerability affecting FiberHome HG6245D optical network terminals. The admin account has a hardcoded password consisting of only four hexadecimal characters, allowing attackers to gain administrative access. This affects all users of FiberHome HG6245D devices through firmware version RP2613.

📋 TL;DR

CVE-2021-27167 is a critical authentication bypass vulnerability affecting FiberHome HG6245D optical network terminals. The admin account has a hardcoded password consisting of only four hexadecimal characters, allowing attackers to gain administrative access. This affects all users of FiberHome HG6245D devices through firmware version RP2613.

💻 Affected Systems

Products:

FiberHome HG6245D

Versions: Through RP2613

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All devices with the vulnerable firmware are affected by default since the hardcoded credentials are present in the libci_adaptation_layer.so library.

📦 What is this software?

Hg6245d Firmware by Fiberhome

View all CVEs affecting Hg6245d Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full administrative control over the device, enabling them to intercept network traffic, modify configurations, install malware, or use the device as a pivot point into internal networks.

🟠

Likely Case

Attackers exploit the hardcoded credentials to gain administrative access, potentially compromising the device and any connected networks.

🟢

If Mitigated

With proper network segmentation and access controls, the impact is limited to the affected device only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only knowledge of the hardcoded password, which has been publicly documented. The vulnerability is easily weaponized due to the simplicity of the attack.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware versions after RP2613

Vendor Advisory: https://www.fiberhome.com/security-advisory

Restart Required: Yes

Instructions:

1. Contact FiberHome for updated firmware. 2. Backup current configuration. 3. Upload and install the patched firmware. 4. Reboot the device. 5. Verify the fix by checking the firmware version.

🔧 Temporary Workarounds

Disable Telnet/SSH Access

all

Disable remote administrative access protocols to prevent exploitation.

telnet_disable
ssh_disable

Change Admin Password

all

Change the admin password to a strong, unique value if the device allows password changes.

admin_password_change

🧯 If You Can't Patch

Isolate the device in a separate network segment with strict firewall rules.
Monitor network traffic for unauthorized access attempts and implement intrusion detection.

🔍 How to Verify

Check if Vulnerable:

Check the firmware version via the device web interface or CLI. If version is RP2613 or earlier, the device is vulnerable.

Check Version:

show version

Verify Fix Applied:

Verify the firmware version is updated to a version after RP2613 and test authentication with the previously known hardcoded password.

📡 Detection & Monitoring

Log Indicators:

Failed login attempts followed by successful admin login
Telnet/SSH connections from unexpected sources

Network Indicators:

Telnet/SSH traffic to the device from unauthorized IPs
Unusual outbound connections from the device

SIEM Query:

source="ONT" AND (event_type="authentication" AND result="success" AND user="admin")

📊 Metadata

CVE ID: CVE-2021-27167

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: February 10, 2021

Last Updated: November 21, 2024

🔗 References

https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html#telnet-linux-hardcoded-credentials Exploit,Third Party Advisory
https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html#telnet-linux-hardcoded-credentials Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27167, you might also want to check these: