Product technical pre-warning list

T h e m e Notice on disable the ONT's telnet and WAN side web access switch
Prevent the ONT's telnet and WAN side web access from being used by
purpose
hackers, reducing the risk of being attacked
Publish
Brazil Technical Services Center
by:
Publish
All users who use Fiberhome products
to:

Notice Final soluction

status

long term：If you need to temporarily turn on the WAN side telnet, LAN

side telnet, and WAN side WEB switches due to special reasons such as
Executi
on troubleshooting in the project, you need to turn off the switches in
period
time after use.
deadline：August 10, 2020

一、 Scope
All GPON ONT devices that are activated under fiberhome OLT.

二、 Description of the scene problem applicable to this notice

The local management interface configuration on the NMS or OLT can turn on
the telnet switch on the WAN side and the LAN side of the ONT, as well as the
WEB access switch on the WAN side. Once these accesses are enabled, illegal users
may use it to invade the inside of the ONT device and use the device normally
According to serious consequences.
三、Reason analysis

When these types of permissions are turned on, illegal users may use telnet
and WEB access permissions to invade the ONT, tamper with the configuration,
execute illegal commands, and even implant illegal applications, causing the
ONT to work abnormally.
四、Solution：

1. For devices on the network, comprehensively sort out the local management
interface configuration of the ONT to ensure that the LAN side telnet, WAN side
telnet, and WAN side WEB switches of the device are in the off state. For specific
operation methods, see "5. Operation steps";
2. If you need to temporarily turn on the WAN side telnet, LAN side telnet,
and WAN side WEB switches due to special reasons such as troubleshooting in the
project, you must turn off these switch configurations in time after use.
五、Steps

1，Export the configuration file of the OLT, check whether there is the

configuration of set onu_local_manage_con, and check whether the configuration

of tel, tel_ani_s and web_ani_s is dis.

2，If it shows enable, you need to change it to disable through the network

management or OLT command line. The specific operation method is as follows：

1） Use NMS to configure the ONU's local management interface switch in the

following configuration interface：

Common Config->ETH OAM man-> ONU local man inter config

Parameter Switch

Console Disable

telnet uni Disable

telnet ani Disable

Web uni Enable

Web ani Disable

 2）Use the OLT command line to configure ONU's local management interface

switch：
Admin\onu# set onu_local_manage_con slot <slotno> pon <ponno> onu <onuno> conf

[enable|disable] cons [enable|disable] tel [enable|disable] web [enable|disable] web_p <portlist>

web_ani_s dis tel_ani_s [enable|disable] web_admin_switch [enable|disable]

Admin\onu# set onu_local_manage_con slot 1 pon 1 onu 6 conf en cons en tel dis web en web_p 80
web_ani_s dis tel_ani_s dis web_admin_switch dis

3) Also can batch configure it from OLT(ONU local manage interface configure):