CVE-2021-27139

Vulnerability

The FiberHome HG6245D GPON FTTH router (firmware versions up to and including RP2613) exposes an "/info.asp" endpoint that discloses device information without authentication. By disabling JavaScript in the browser, an attacker can access this page directly, bypassing any client-side checks that might otherwise restrict access. This issue is present in the web server component and requires only a network connection to the device's LAN interface. [1]

Exploitation

An attacker with network access to the device (LAN or potentially WAN over IPv6 due to lack of IPv6 firewall) can simply disable JavaScript in a web browser or use a non-JavaScript HTTP client (e.g., curl) and request the URL http:///info.asp. No authentication is required. The server responds with the device's information page. [1]

Impact

Successful exploitation leads to information disclosure, including sensitive device details such as hardware version, software version, and potentially other configuration data present in the /info.asp page. This can aid an attacker in fingerprinting the device for further attacks. The disclosure occurs without requiring any privileges. [1]

Mitigation

As of the publication date (2021-02-10), there is no official patch or firmware update from FiberHome that addresses this issue. The latest firmware version, RP2613, was confirmed vulnerable. Users can mitigate risk by restricting LAN access to the device, disabling unnecessary services, and ensuring proper network segmentation. IPv6 connectivity should be firewalled to prevent external access to internal services. [1]