https://www.zdnet.com/article/backdoor-accounts-discovered-in-29-ftth-devices-from-chinese-vendor-c-data/?ftag=TRE-03-10aaa6b&bhid=29077120342825113007211255328545&mid=12920625&cid=2211510872 <https://www.zdnet.com/article/backdoor-accounts-discovered-in-29-ftth-devices-from-chinese-vendor-c-data/?ftag=TRE-03-10aaa6b&bhid=29077120342825113007211255328545&mid=12920625&cid=2211510872> Wow… Just wow. Owen
But who, who I ask, opens their management interface to the public Internet?!?! Maybe this is vulnerability if you have a compromised management network, but anybody who opens CPE up to the Internet is just barking mad :-) -mel via cell On Jul 10, 2020, at 10:00 AM, Owen DeLong <owen@delong.com> wrote: https://www.zdnet.com/article/backdoor-accounts-discovered-in-29-ftth-devices-from-chinese-vendor-c-data/?ftag=TRE-03-10aaa6b&bhid=29077120342825113007211255328545&mid=12920625&cid=2211510872 Wow… Just wow. Owen
Um, from the article it appears that this isn’t on the Management interface, but the WAN port of the OLT. Owen
On Jul 10, 2020, at 11:01 , Mel Beckman <mel@beckman.org> wrote:
But who, who I ask, opens their management interface to the public Internet?!?!
Maybe this is vulnerability if you have a compromised management network, but anybody who opens CPE up to the Internet is just barking mad :-)
-mel via cell
On Jul 10, 2020, at 10:00 AM, Owen DeLong <owen@delong.com> wrote:
https://www.zdnet.com/article/backdoor-accounts-discovered-in-29-ftth-devices-from-chinese-vendor-c-data/?ftag=TRE-03-10aaa6b&bhid=29077120342825113007211255328545&mid=12920625&cid=2211510872 <https://www.zdnet.com/article/backdoor-accounts-discovered-in-29-ftth-devices-from-chinese-vendor-c-data/?ftag=TRE-03-10aaa6b&bhid=29077120342825113007211255328545&mid=12920625&cid=2211510872>
Wow… Just wow.
Owen
The “WAN” port of an OLT _is_ it’s management port. Data, IPTV, and VoIP traffic pass on VLANs, typically encrypted. These are passive optical network (PON) devices, where all CPE in a group of, say, 32 premises receive the same light via an optical splitter. Thus network partitioning is a requirement of the architecture. There is no concept of a traditional “WAN” port facing the Internet. -mel via cell On Jul 10, 2020, at 12:21 PM, Owen DeLong <owen@delong.com> wrote: Um, from the article it appears that this isn’t on the Management interface, but the WAN port of the OLT. Owen On Jul 10, 2020, at 11:01 , Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote: But who, who I ask, opens their management interface to the public Internet?!?! Maybe this is vulnerability if you have a compromised management network, but anybody who opens CPE up to the Internet is just barking mad :-) -mel via cell On Jul 10, 2020, at 10:00 AM, Owen DeLong <owen@delong.com<mailto:owen@delong.com>> wrote: https://www.zdnet.com/article/backdoor-accounts-discovered-in-29-ftth-devices-from-chinese-vendor-c-data/?ftag=TRE-03-10aaa6b&bhid=29077120342825113007211255328545&mid=12920625&cid=2211510872 Wow… Just wow. Owen
Perhaps you’re confusing OLT with ONT? An OLT is a “curbside” distribution node, the ONT is the CPE. The vulnerability is in the distribution node, not the CPE. No provider with any sense exposes their distribution node admin interface to the Internet. -mel via cell On Jul 10, 2020, at 1:01 PM, mel@beckman.org wrote: The “WAN” port of an OLT _is_ it’s management port. Data, IPTV, and VoIP traffic pass on VLANs, typically encrypted. These are passive optical network (PON) devices, where all CPE in a group of, say, 32 premises receive the same light via an optical splitter. Thus network partitioning is a requirement of the architecture. There is no concept of a traditional “WAN” port facing the Internet. -mel via cell On Jul 10, 2020, at 12:21 PM, Owen DeLong <owen@delong.com> wrote: Um, from the article it appears that this isn’t on the Management interface, but the WAN port of the OLT. Owen On Jul 10, 2020, at 11:01 , Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote: But who, who I ask, opens their management interface to the public Internet?!?! Maybe this is vulnerability if you have a compromised management network, but anybody who opens CPE up to the Internet is just barking mad :-) -mel via cell On Jul 10, 2020, at 10:00 AM, Owen DeLong <owen@delong.com<mailto:owen@delong.com>> wrote: https://www.zdnet.com/article/backdoor-accounts-discovered-in-29-ftth-devices-from-chinese-vendor-c-data/?ftag=TRE-03-10aaa6b&bhid=29077120342825113007211255328545&mid=12920625&cid=2211510872 Wow… Just wow. Owen
Well here are a couple hundred: https://www.shodan.io/search?query=Command+Line+Interface+for+EPON+System -Keith Mel Beckman wrote on 7/10/2020 1:07 PM:
Perhaps you’re confusing OLT with ONT? An OLT is a “curbside” distribution node, the ONT is the CPE. The vulnerability is in the distribution node, not the CPE. No provider with any sense exposes their distribution node admin interface to the Internet.
-mel via cell
On Jul 10, 2020, at 1:01 PM, mel@beckman.org wrote:
The “WAN” port of an OLT _is_ it’s management port. Data, IPTV, and VoIP traffic pass on VLANs, typically encrypted. These are passive optical network (PON) devices, where all CPE in a group of, say, 32 premises receive the same light via an optical splitter. Thus network partitioning is a requirement of the architecture. There is no concept of a traditional “WAN” port facing the Internet.
-mel via cell
On Jul 10, 2020, at 12:21 PM, Owen DeLong <owen@delong.com> wrote:
Um, from the article it appears that this isn’t on the Management interface, but the WAN port of the OLT.
Owen
On Jul 10, 2020, at 11:01 , Mel Beckman <mel@beckman.org <mailto:mel@beckman.org>> wrote:
But who, who I ask, opens their management interface to the public Internet?!?!
Maybe this is vulnerability if you have a compromised management network, but anybody who opens CPE up to the Internet is just barking mad :-)
-mel via cell
On Jul 10, 2020, at 10:00 AM, Owen DeLong <owen@delong.com <mailto:owen@delong.com>> wrote:
Wow… Just wow.
Owen
Almost no surprise they are all third world, still scary in a sense. Might just have to rethink a blacklist strategy for traffic originating behind those locations. -- J. Hellenthal The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.
On Jul 10, 2020, at 15:30, blakangel@gmail.com wrote:
Well here are a couple hundred:
https://www.shodan.io/search?query=Command+Line+Interface+for+EPON+System
-Keith
Mel Beckman wrote on 7/10/2020 1:07 PM:
Perhaps you’re confusing OLT with ONT? An OLT is a “curbside” distribution node, the ONT is the CPE. The vulnerability is in the distribution node, not the CPE. No provider with any sense exposes their distribution node admin interface to the Internet.
-mel via cell
On Jul 10, 2020, at 1:01 PM, mel@beckman.org wrote:
The “WAN” port of an OLT _is_ it’s management port. Data, IPTV, and VoIP traffic pass on VLANs, typically encrypted. These are passive optical network (PON) devices, where all CPE in a group of, say, 32 premises receive the same light via an optical splitter. Thus network partitioning is a requirement of the architecture. There is no concept of a traditional “WAN” port facing the Internet.
-mel via cell
On Jul 10, 2020, at 12:21 PM, Owen DeLong <owen@delong.com> wrote:
Um, from the article it appears that this isn’t on the Management interface, but the WAN port of the OLT.
Owen
On Jul 10, 2020, at 11:01 , Mel Beckman <mel@beckman.org> wrote:
But who, who I ask, opens their management interface to the public Internet?!?!
Maybe this is vulnerability if you have a compromised management network, but anybody who opens CPE up to the Internet is just barking mad :-)
-mel via cell
On Jul 10, 2020, at 10:00 AM, Owen DeLong <owen@delong.com> wrote:
Wow… Just wow.
Owen
On 12/Jul/20 23:43, J. Hellenthal via NANOG wrote:
Almost no surprise they are all third world, still scary in a sense. Might just have to rethink a blacklist strategy for traffic originating behind those locations.
Still don't know what "third world" means (of course I do...), but looking at what the guy in the top seat in America is doing, we are as equally concerned about kit coming out of there as we are coming out of anywhere else. I will say that where we once had confidence that the traditional vendors had us in their best interests, that trust level is not automatically the same in 2020. Mark.
Mark Tinka wrote on 13/07/2020 16:03:
Still don't know what "third world" means (of course I do...), but
Obviously he means countries like Sweden, Ireland and Switzerland.
https://en.wikipedia.org/wiki/Third_World#/media/File:Cold_War_alliances_mid...
It's not clear why there's any relationship between third world status and the choice of PON/active FTTP equipment used in 2020. Or maybe there's some subtlety that being lost here. Hard to tell. Nick
On 13/Jul/20 17:25, Nick Hilliard wrote:
Obviously he means countries like Sweden, Ireland and Switzerland.
https://en.wikipedia.org/wiki/Third_World#/media/File:Cold_War_alliances_mid...
It's not clear why there's any relationship between third world status and the choice of PON/active FTTP equipment used in 2020. Or maybe there's some subtlety that being lost here. Hard to tell.
:-). Mark.
Fiscal and logistic reasons, would be my guess. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Nick Hilliard" <nick@foobar.org> To: "Mark Tinka" <mark.tinka@seacom.com> Cc: nanog@nanog.org Sent: Monday, July 13, 2020 10:25:20 AM Subject: Re: Anyone running C-Data OLTs? Mark Tinka wrote on 13/07/2020 16:03:
Still don't know what "third world" means (of course I do...), but
Obviously he means countries like Sweden, Ireland and Switzerland.
https://en.wikipedia.org/wiki/Third_World#/media/File:Cold_War_alliances_mid...
It's not clear why there's any relationship between third world status and the choice of PON/active FTTP equipment used in 2020. Or maybe there's some subtlety that being lost here. Hard to tell. Nick
I think the article may also be confusing OLT and ONT. They are talking about how the “OLT” that is vulnerable is the device that translates the fibre into the copper Ethernet connected to customers equipment which may indicate these are actually ONT’s being talked about or the article authors got their explanation confused. For these to be internet exposed presumably they must be including a router function and not simply doing some bridging of customer traffic. I haven’t checked (on mobile) but those affected model numbers could confirm if it’s OLT, ONT, or both. Possibly the confusion could come from the bug affecting both. Regards Alexander Alexander Neilson Neilson Productions Limited 021 329 681 alexander@neilson.net.nz
On 11/07/2020, at 08:04, Mel Beckman <mel@beckman.org> wrote:
The “WAN” port of an OLT _is_ it’s management port. Data, IPTV, and VoIP traffic pass on VLANs, typically encrypted. These are passive optical network (PON) devices, where all CPE in a group of, say, 32 premises receive the same light via an optical splitter. Thus network partitioning is a requirement of the architecture. There is no concept of a traditional “WAN” port facing the Internet.
-mel via cell
On Jul 10, 2020, at 12:21 PM, Owen DeLong <owen@delong.com> wrote:
Um, from the article it appears that this isn’t on the Management interface, but the WAN port of the OLT.
Owen
On Jul 10, 2020, at 11:01 , Mel Beckman <mel@beckman.org> wrote:
But who, who I ask, opens their management interface to the public Internet?!?!
Maybe this is vulnerability if you have a compromised management network, but anybody who opens CPE up to the Internet is just barking mad :-)
-mel via cell
On Jul 10, 2020, at 10:00 AM, Owen DeLong <owen@delong.com> wrote:
Wow… Just wow.
Owen
On 7/10/20 6:22 PM, Alexander Neilson wrote:
I haven’t checked (on mobile) but those affected model numbers could confirm if it’s OLT, ONT, or both. Possibly the confusion could come from the bug affecting both.
All of the part numbers I was able to find a description of (after sifting through the numerous pages copying the vulnerability disclosure) appeared to be low-cost, low- to mid-density pizza-box EPON OLTs. I didn't see any ONUs, but then I also didn't find data on everything. I know a low of EPON deployments go for all-in-ones with the ONU, router, WLAN, etc. integrated into a single box presumably because it's cheaper for initial deployment than separate boxes for ONU and CPE router/AP. No indication of those being affected in this notice, at least that I could find. -- Brandon Martin
On 11/Jul/20 02:16, Brandon Martin wrote:
All of the part numbers I was able to find a description of (after sifting through the numerous pages copying the vulnerability disclosure) appeared to be low-cost, low- to mid-density pizza-box EPON OLTs. I didn't see any ONUs, but then I also didn't find data on everything.
I know a low of EPON deployments go for all-in-ones with the ONU, router, WLAN, etc. integrated into a single box presumably because it's cheaper for initial deployment than separate boxes for ONU and CPE router/AP. No indication of those being affected in this notice, at least that I could find.
A number of vendors, these days, implement Active-E and GPON in the same chassis, and you can decide what you want to run it as. I recall Cisco picked up some company back around 2014 that gave them this style of box in the ME4600. Not sure how it's doing nowadays. Tejas do the same with their Ethernet boxes. Mark.
On Fri, Jul 10, 2020 at 9:22 PM Owen DeLong <owen@delong.com> wrote:
Um, from the article it appears that this isn’t on the Management interface, but the WAN port of the OLT.
From the original at https://pierrekim.github.io/blog/2020-07-07-cdata-olt-0day-vulnerabilities.h... it is very clear that we are talking about the OLT.
However any sane deployment would not be exposing the management to the internet. You would have that stuff on a vlan separate from customer traffic. I realise there are plenty of not so sane deployments out there. Regards, Baldur
On 10/Jul/20 18:58, Owen DeLong wrote:
Wow… Just wow.
And unlike routers, switches (and OLT's) don't seem to get as much love re: vulnerability software upgrades with operators, despite the vendors putting our code often enough (C-Data notwithstanding, of course). Mark.
participants (10)
-
Alexander Neilson
-
Baldur Norddahl
-
blakangel@gmail.com
-
Brandon Martin
-
J. Hellenthal
-
Mark Tinka
-
Mel Beckman
-
Mike Hammett
-
Nick Hilliard
-
Owen DeLong