Calix Pre-Auth RCE on Port 6998 Allows Arbitrary Code Execution as Root

Security researchers have uncovered a dangerous Remote Code Execution (RCE) vulnerability affecting Calix GigaCenter devices, allowing attackers to gain complete control over affected systems by exploiting an unsecured CWMP (CPE WAN Management Protocol) service.

The vulnerability enables arbitrary command execution with root privileges, potentially leading to the widespread compromise of targeted networks.

Vulnerability Details

The critical flaw exists in the CWMP service running on TCP port 6998 of affected GigaCenter devices.

Researchers discovered that the service fails to properly sanitize special characters in user input, allowing command injection attacks through backticks (`) and command substitution syntax ($()).

When connecting to port 6998, users are presented with a simple prompt:

cwmp.0001>

From this prompt, attackers can execute arbitrary system commands by enclosing them within command substitution characters.

For example:

cwmp.0001> $(cat /etc/passwd)

This would output the contents of the password file, demonstrating complete system access.

The exploitation requires no authentication, making this an extremely critical security issue for affected devices.

Affected Systems

The vulnerability impacts multiple GigaCenter models, including:

• 812Gv2, 813Gv2, and 813Gv2-2
• 5VT devices (developed by a third party under Calix branding)
• Various rebranded devices (complete list unavailable)

This flaw is particularly concerning as it follows a pattern of similar vulnerabilities in GigaCenter products.

In 2022, another command injection vulnerability was discovered that allowed attackers to install SOCKS proxy servers on port 8111, causing service impacts and 5G radio crashes.

Technical Analysis

Security researchers identified the vulnerability during routine TCP/UDP port scanning (ports 1-65535) of the devices.

The CWMP service on port 6998 accepts connections without authentication, making it trivial to exploit remotely.

The vulnerability bears similarities to other command injection flaws found in router management protocols, such as the recently discovered RCE vulnerability in Ruijie Reyee Wireless Routers (CVE unassigned), which also allowed command injection through a management protocol.

Unlike many other TCP/IP vulnerabilities that require complex exploitation chains, such as the “EvilESP” vulnerability (CVE-2022-34718) affecting Windows systems, this CWMP vulnerability requires minimal technical knowledge to exploit.

Vendor Response

Calix has acknowledged the vulnerability but noted that it primarily affects end-of-life (EOL) products:

“Just following up on this as we have completed our analysis of our GigaCenter devices, which are still actively supported, and I can confirm that those also do not have a locally accessible CWMP (TR-069) service running.

As the only devices with this vulnerability appear to be these EOL rebranded systems, we will be closing this issue out.”

The company has promised to create an advisory for customers still deploying these unsupported CPEs.

Mitigation Recommendations

Organizations still using affected devices should:

1. Block external access to TCP port 6998 at the network perimeter
2. Implement strict network segmentation for IoT and network devices
3. Update to supported device models where possible
4. Monitor for suspicious network traffic on affected devices

This vulnerability highlights the ongoing security challenges with IoT and network devices, especially those approaching end-of-life status.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates