[OT] Calix GigaCenter Vulnerability
If you run Calix GigaCenters, they are being actively exploited. Some details here: https://community.calix.com/s/feed/0D54u00009074nuCAA -- Richard
Richard, this link requires a login. On Wed, Oct 26, 2022, 6:28 PM Richard Laager <rlaager@wiktel.com> wrote:
If you run Calix GigaCenters, they are being actively exploited.
Some details here: https://community.calix.com/s/feed/0D54u00009074nuCAA
-- Richard
------------------------------
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
*_Issue Summary_* Calix has identified a vulnerability on GigaCenters to a SOCKS proxy attack. *_Impact on Services_* The SOCKS proxy attack uses malicious service-blocking rules applied via HTTP API calls using the admin or support user credentials. This configuration causes the GigaCenter to download a SOCKS proxy server and execute a malicious script. It has been observed that the proxy listens on port 8111 and initiates or forwards huge amounts of data or DNS flows, causing CPU and memory exhaustion, resulting in WAN service impacts, and causes the 5G radio to crash. The port that is opened and set as the listening port by the malicious script is a variable, so it is possible that a different port could be used. The affected units do not recover from the 5G crash until a reboot is performed. *_Impacted Systems_* This issue impacts all GigaCenters(844E, 844G, 854G) systems. *_Recommended Action(s)_* * Run a workflow to disable remote access and update the admin and support credentials on all GigaCenters. As a best practice, different passwords should be used for the admin and support users. * On the upstream core router or edge routers, add an ACL to block inbound access to the port used by the SOCKS proxy. * Reboot affected GigaCenters with service impacts. Calix is currently working to identify how to best address GigaCenters which are already affected. Please stay tuned to this community post for more updates. Ryan Malek - Router12 Networks LLC Internet, Phone, and Hosted Services Ph. 641.420.7180 On 10/26/2022 7:06 PM, Brady Kittel wrote:
Richard, this link requires a login.
On Wed, Oct 26, 2022, 6:28 PM Richard Laager <rlaager@wiktel.com> wrote:
If you run Calix GigaCenters, they are being actively exploited.
Some details here: https://community.calix.com/s/feed/0D54u00009074nuCAA
-- Richard
------------------------------------------------------------------------
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1 <http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1>
------------------------------------------------------------------------
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1 <http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1>
participants (3)
-
Brady Kittel -
Richard Laager -
Ryan Malek