CVE-2021-27142

Vulnerability

FiberHome HG6245D devices running firmware up to and including RP2613 are shipped with a hardcoded HTTPS private key that has 0777 (world-readable) permissions [1]. This allows any local or remote attacker who can read the filesystem to obtain the private key and decrypt TLS traffic. The web management interface only listens on HTTPS by default [1].

Exploitation

An attacker with local network access (LAN) or, via IPv6, potentially from the WAN can exploit this by reading the private key file from the device (e.g., via other vulnerabilities such as command injection or backdoor credentials) [1]. No authentication is required to access the key if the attacker already has file read capability. The attacker can then use the private key to perform man-in-the-middle attacks or decrypt captured HTTPS sessions [1].

Impact

Successful exploitation allows the attacker to decrypt all HTTPS traffic to and from the device's web management interface. This could lead to disclosure of sensitive information such as administrative credentials or configuration data. Combined with other vulnerabilities, it facilitates full device compromise [1].

Mitigation

As of February 2021, the vendor had not released a fix; the latest firmware version RP2613 remained vulnerable [1]. Users should monitor for firmware updates from FiberHome, restrict management access to trusted networks, and disable IPv6 if WAN exposure is a concern [1].