LISTSERV 16.0 - MICE-DISCUSS Archives

*_Issue Summary_*

  Calix has identified a vulnerability on GigaCenters to a SOCKS proxy 
attack.


*_Impact on Services_*

  The SOCKS proxy attack uses malicious service-blocking rules applied 
via HTTP API calls using the admin or support user credentials. This 
configuration causes the GigaCenter to download a SOCKS proxy server and 
execute a malicious script.

It has been observed that the proxy listens on port 8111 and initiates 
or forwards huge amounts of data or DNS flows, causing CPU and memory 
exhaustion, resulting in WAN service impacts, and causes the 5G radio to 
crash. The port that is opened and set as the listening port by the 
malicious script is a variable, so it is possible that a different port 
could be used.

The affected units do not recover from the 5G crash until a reboot is 
performed.

*_Impacted Systems_*

  This issue impacts all GigaCenters(844E, 844G, 854G) systems.

*_Recommended Action(s)_*

  * Run a workflow to disable remote access and update the admin and
    support credentials on all GigaCenters. As a best practice,
    different passwords should be used for the admin and support users.
  * On the upstream core router or edge routers, add an ACL to block
    inbound access to the port used by the SOCKS proxy.
  * Reboot affected GigaCenters with service impacts.

Calix is currently working to identify how to best address GigaCenters 
which are already affected. Please stay tuned to this community post for 
more updates.

Ryan Malek - Router12 Networks LLC
Internet, Phone, and Hosted Services

Ph. 641.420.7180

On 10/26/2022 7:06 PM, Brady Kittel wrote:
> Richard, this link requires a login.
>
> On Wed, Oct 26, 2022, 6:28 PM Richard Laager <[log in to unmask]> wrote:
>
>     If you run Calix GigaCenters, they are being actively exploited.
>
>     Some details here:
>     https://community.calix.com/s/feed/0D54u00009074nuCAA
>
>     -- 
>     Richard
>
>
>     ------------------------------------------------------------------------
>
>     To unsubscribe from the MICE-DISCUSS list, click the following link:
>     http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
>     
>
>
> ------------------------------------------------------------------------
>
> To unsubscribe from the MICE-DISCUSS list, click the following link:
> http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1 
> 
>