SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
C-DATA OLT firmware has intentional backdoors, allege researchers
Mon, 13th Jul 2020
FYI, this story is more than a year old

A range of optical line termination (OLT) devices made by China-based manufacturer and vendor C-DATA may be riddled with vulnerabilities and backdoors.

These OLT devices provide fibre-to-the-home (FTTH) connectivity to clients through optical network terminals (ONTs).  These devices are commonly used by telecommunications and internet service providers to deliver internet to their customers.

Security researchers Pierre Kim and Alexandre Torres published details of the vulnerabilities in a blog last week, stating that the OLTs have evident backdoors that could allow an attacker to take over with complete administrator access.

The affected C-Data OLTs are badged as different brands including BLIY, Cdata, OptiLink, and V-SOL CN. According to the researchers, all available OLT models across these brands are affected.

The researchers used two OLT devices, the FD1104B and FD110SN and the relevant up-to-date firmware versions ((V1.2.2 and 2.4.05_000, 2.4.04_001 and 2.4.03_000 respectively) to validate the vulnerabilities.

One vulnerability relates to a telnet server running in the device. It is accessible from the WAN interface and from the FTTH LAN interface (from the ONTs). allows attackers to gain CLI access using a number of different login credentials. These credentials differ depending on what firmware the device is running.

After an attacker has gained CLI access, they can then access administrator credentials by running a simple command.

The attacker can then conduct a command injection within the CLI, which allows an attacker to execute commands as root.

Furthermore, an attacker can also execute denial of services, telnet credentials, web credentials, and SNMP communities.

Researchers say that the devices also include a weak custom encryption algorithm.

Because the devices rely on remote management through HTTP, telnet and SNMP, there is no secure support through the likes of SSL/TLS for HTTP, or SSH.  The researchers say attackers can intercept passwords send in plain text, and then operate man-in-the-middle (MITM) attacks against the devices.

The researchers believe that some of these backdoors are not mistakes.

“Full disclosure is applied as we believe some backdoors are intentionally placed by the vendor,” they conclude.

As at 13 July 2020, C-Data has not made any public announcement about the vulnerabilities.

The researchers name the affected devices below.

“Using static analysis, these vulnerabilities also appear to affect all available OLT models as the codebase is similar:

  • 72408A
  • 9008A
  • 9016A
  • 92408A
  • 92416A
  • 9288
  • 97016
  • 97024P
  • 97028P
  • 97042P
  • 97084P
  • 97168P
  • FD1002S
  • FD1104
  • FD1104B
  • FD1104S
  • FD1104SN
  • FD1108S
  • FD1204S-R2
  • FD1204SN
  • FD1204SN-R2
  • FD1208S-R2
  • FD1216S-R1
  • FD1608GS
  • FD1608SN
  • FD1616GS
  • FD1616SN
  • FD8000