CVE-2019-3921
published 2019-03-05CVE-2019-3921: The Alcatel Lucent I-240W-Q GPON ONT using firmware version 3FE54567BOZJ19 is vulnerable to a stack buffer overflow via crafted HTTP POST request sent by a…
PriorityP269high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
17.89%
96.8th percentile
The Alcatel Lucent I-240W-Q GPON ONT using firmware version 3FE54567BOZJ19 is vulnerable to a stack buffer overflow via crafted HTTP POST request sent by a remote, authenticated attacker to /GponForm/usb_Form?script/. An attacker can leverage this vulnerability to potentially execute arbitrary code.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nokia | i-240w-q_gpon_ont_firmware | — | — |
| tenable | alcatel_lucent_i-240w-q_gpon_ont | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x02\xa0\x49\x40\x52\x40\x82\x72\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x74\x66\x74\x70\x64\x58
bytes↗
\xc0\x46
bytes↗
\xe1\x8c\x03
- →The exploit requires a two-step HTTP POST sequence: first to /GponForm/device_Form?script/ (stack adjustment with XWebPageName=device&admin_action=usb_enable&usbenable=1), then to /GponForm/usb_Form?script/ (actual overflow). Correlate both requests from the same source IP. ↗
- →After successful exploitation, monitor for tftpd spawning on UDP port 69 of the target device, as the shellcode launches /bin/tftpd. ↗
- →The exploit payload in `clientusername` contains the ARM Thumb NOP sled (\xc0\x46 repeated 197 times) followed by the shellcode bytes. Signature-match the byte sequence \x02\xa0\x49\x40\x52\x40\x82\x72\x0b\x27\x01\xdf in HTTP POST body. ↗
- →The exploit may be chained with CVE-2018-10561 (authentication bypass) to achieve unauthenticated RCE. Correlate CVE-2018-10561 bypass attempts followed by POST to /GponForm/usb_Form?script/. ↗
- ·The exploit must be executed after a device reboot to be effective; the attacker can trigger a reboot via a DoS-based BoF crash, via CVE-2018-10561 reboot action, or by sending the exploit payload twice. ↗
- ·Affected firmware is specifically version 3FE54567BOZJ19 on the Alcatel Lucent I-240W-Q GPON ONT; detections should be scoped to this device/firmware combination. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Tenable
Tenable Research Discovers Remote Code Execution Vulnerabilities in GPON Routers
blogs_tenable·2019-02-27·CVSS 7.5
[HIGH] Tenable Research Discovers Remote Code Execution Vulnerabilities in GPON Routers
Blog / Research
Subscribe
# Tenable Research Discovers Remote Code Execution Vulnerabilities in GPON Routers
Tenable Research
February 27, 2019
2 Min Read
Tenable Research has discovered six new vulnerabilities in Nokia (Alcatel-Lucent) I-240W-Q GPON routers that can provide attacker with telnet access, DoS the target, or run arbitrary code.
### Background
Nokia (Alcatel-Lucent) I-240W-Q Gigabit Passive Optical Network (GPON) routers are designed to replace standard copper networks. These routers have become an attractive target for botnets, and turnaround from disclosure to attack is almost immediate.
Tenable researcher Artem Metla has discovered six new vulnerabilities in Nokia (Alcatel-Lucent) I-240W-Q GPON routers (CVE-2019-3917, CVE-2019-3918, CVE-2019-3919, CVE-2019-3920, CVE
Tenable
Tenable Research Discovers Remote Code Execution Vulnerabilities in GPON Routers
blogs_tenable·2019-02-27
Tenable Research Discovers Remote Code Execution Vulnerabilities in GPON Routers
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Nokia GPON ONT Multiple Vulnerabilities
blogs_tenable·2019-02-27
Nokia GPON ONT Multiple Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
2019-03-05
Published