Calix GigaSpire Router Transmits Clear-text Dynamic DNS Credentials

Last Modified: Fri, 18 Oct 2024 19:04:44 +0000 ; Created: Fri, 18 Oct 2024 19:04:44 +0000

The Calix GigaSpire (and possibly other models) transmit credentials over the WAN interface in clear-text for Dynamic DNS services. This is done despite an encrypted alternative being available from the Dynamic DNS services.

  1. Calix GigaSpire BLAST Model: u6.1 GS4220E router (latest available firmware version 23.3.0.3.57)
  2. Setup a MitM bridge between the WAN and ONT to simulate an attacker listening to traffic.
  3. Observe that the router makes a request to GET /v3/update?hostname=MYDYNHOSTENTRY.dyndns.org&myip=REDACTED HTTP/1.1\r\n
  4. Observe that TLS 1.2/1.3+ was not used (use of http: instead of https:)
  5. Observe that the credentials for the dynamic DNS were sent in the clear by the Calix client
        GET /v3/update?hostname=MYDYNHOSTENTRY.dyndns.org&myip=REDACTED HTTP/1.1\r\n
        Host: members.dyndns.org\r\n
        Authorization: Basic bXl1c2VybmFtZTpteWNyZWQ\r\n
        User-Agent: curl/7.86.0\r\n
        Accept: */*\r\n
    

Remediation Recommendation

The vendor does not provide any way to force the use of HTTPS/TLS. The service dyndns.org offers a working, encrypted (TLS) service at https://update.dyndns.org. A workaround is to not use the Calix router for dynamic DNS updates but instead another client on the LAN.

CVSS v3.1 scores:

CVSS Base Score: 6.1
CVSS Temporal Score: 6.0
Overall CVSS Score: 5.3

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L/E:F/RL:U/RC:C/CR:M/IR:M/AR:L/MAV:A/MAC:L/MPR:N/MUI:N/MS:C/MC:N/MI:L/MA:L&version=3.1

Timeline

  • 9/16/2024: Submitted vulnerability report via vendor's online form: vendor's online form
  • 10/18/2024: No response from vendor. Disclosed publicly.