CVE-2021-27140

Vulnerability

The FiberHome HG6245D router (up to and including firmware RP2613) stores passwords and authentication cookies in cleartext in its web.log HTTP logs [1]. This affects the built-in HTTP/HTTPS server listening on the LAN side by default [1]. The vulnerability is present in firmware versions RP2602 and RP2613, and likely affects other FiberHome models (e.g., AN5506-04-FA) due to a shared codebase [1].

Exploitation

An attacker with local network access (LAN side) can access the log file via the web interface, or if any other attack vector (e.g., IPv6 WAN connectivity) allows reading the logs. The logs contain cleartext credentials and cookies exchanged during web administration sessions [1]. No special privileges are required beyond the ability to reach the device's HTTP service and read the logs.

Impact

Successful exploitation allows an attacker to extract valid administrative login credentials and session cookies from the logs. With these, the attacker can log into the web admin interface and gain full administrative control over the router, including the ability to change configurations, enable a backdoor telnet daemon, or perform further attacks [1].

Mitigation

As of publication (February 2021), FiberHome has not released a fix. The latest firmware version RP2613 is still vulnerable [1]. No workaround is documented. Users are advised to limit access to the management interface to trusted networks only, monitor logs for unauthorized access, and check for firmware updates from the vendor.