CVE-2021-27177 – This vulnerability allows attackers to bypass a... (How to Fix)

Q: What is the severity of CVE-2021-27177?

CVE-2021-27177 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to bypass authentication on FiberHome HG6245D devices by sending a specific decoded string to the telnet server. It affects FiberHome HG6245D optical network terminal devices, potentially exposing them to unauthorized access and control.

📋 TL;DR

This vulnerability allows attackers to bypass authentication on FiberHome HG6245D devices by sending a specific decoded string to the telnet server. It affects FiberHome HG6245D optical network terminal devices, potentially exposing them to unauthorized access and control.

💻 Affected Systems

Products:

FiberHome HG6245D

Versions: through RP2613

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Devices with telnet enabled are vulnerable. The vulnerability is in the authentication mechanism of the telnet CLI interface.

📦 What is this software?

Hg6245d Firmware by Fiberhome

View all CVEs affecting Hg6245d Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to network infiltration, data interception, or use as a pivot point for attacking other network devices.

🟠

Likely Case

Unauthorized access to device configuration, potential for service disruption, or credential harvesting from the compromised device.

🟢

If Mitigated

Limited impact if telnet is disabled or network segmentation prevents access to vulnerable devices.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The exploit involves sending the decoded value of GgpoZWxwCmxpc3QKd2hvCg== (which decodes to 'help\nlist\nwho\n') to bypass authentication. This is documented in public research.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not publicly available

Restart Required: No

Instructions:

No official patch available. Check with FiberHome for firmware updates beyond RP2613.

🔧 Temporary Workarounds

Disable Telnet Service

all

Disable the telnet service on affected devices to prevent exploitation.

telnet disable
no telnet server enable

Network Access Control

linux

Restrict telnet access to trusted management networks only using firewall rules.

iptables -A INPUT -p tcp --dport 23 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 23 -j DROP

🧯 If You Can't Patch

Segment vulnerable devices on isolated network segments
Implement strict network monitoring for telnet traffic to/from affected devices

🔍 How to Verify

Check if Vulnerable:

Attempt to connect via telnet and send the decoded string 'help\nlist\nwho\n' to see if authentication is bypassed.

Check Version:

show version or equivalent command on device CLI

Verify Fix Applied:

Verify telnet service is disabled or that the authentication bypass no longer works with the decoded string.

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts followed by successful telnet sessions
Telnet connections from unexpected sources

Network Indicators:

Telnet traffic to port 23 on affected devices
Network traffic patterns showing the specific decoded string being sent

SIEM Query:

source_port:23 AND (payload_contains:"help\nlist\nwho\n" OR auth_result:"bypass")

📊 Metadata

CVE ID: CVE-2021-27177

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-863

Published: February 10, 2021

Last Updated: November 21, 2024

🔗 References

https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html#telnet-cli-auth-bypass Exploit,Third Party Advisory
https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html#telnet-cli-auth-bypass Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27177, you might also want to check these: