Calix has identified a vulnerability on GigaCenters to a SOCKS proxy attack.
Impact on Services
The SOCKS proxy attack uses malicious service-blocking rules applied via HTTP API calls using the admin or support user credentials. This configuration causes the GigaCenter to download a SOCKS proxy server and execute a malicious script.
It has been observed that the proxy listens on port 8111 and initiates or forwards huge amounts of data or DNS flows, causing CPU and memory exhaustion, resulting in WAN service impacts, and causes the 5G radio to crash. The port that is opened and set as the listening port by the malicious script is a variable, so it is possible that a different port could be used.
The affected units do not recover from the 5G crash until a reboot is performed.
Impacted Systems
This issue impacts all GigaCenters(844E, 844G, 854G) systems.
Recommended Action(s)
Calix is currently working to identify how to best address GigaCenters which are already affected. Please stay tuned to this community post for more updates.
Ryan Malek - Router12 Networks LLC Internet, Phone, and Hosted Services Ph. 641.420.7180
Richard, this link requires a login.
On Wed, Oct 26, 2022, 6:28 PM Richard Laager <rlaager@wiktel.com> wrote:
If you run Calix GigaCenters, they are being actively exploited.
Some details here: https://community.calix.com/s/feed/0D54u00009074nuCAA
-- Richard
To unsubscribe from the MICE-DISCUSS list, click the following link:
http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
To unsubscribe from the MICE-DISCUSS list, click the following link:
http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1