Is the GenieACS provisioning script example flawed?

I think the provided provisioning flow example is probably flawed. It looks like some info (PPPoE creds in that case) are being selected depending on DeviceId.SerialNumber but its value is not being verified for previous successful authentication. This means Alice, with valid TLS certs (or HTTP credentials) for subject (or username) “001122-CPE001-EXAMPLE” would easily get Bob’s CPE002 PPPoE configurations by sending “CPE002” as DeviceId.SerialNumber value. Am I wrong? Is GenieACS always trusting unauthenticated DeviceId.* values in general?

let model = declare("InternetGatewayDevice.DeviceInfo.ModelName", {value: 1}).value[0];
let serialNumber = declare("DeviceID.SerialNumber", {value: 1}).value[0];
let productClass = declare("DeviceID.ProductClass", {value: 1}).value[0];
let oui = declare("DeviceID.OUI", {value: 1}).value[0];
let args = {serial: serialNumber, productClass: productClass, oui: oui};

//Get the PPPoE creds
let config = ext('cpe-config', 'resetPppoe', JSON.stringify(args));


Yes if you spoof the a CWMP client and spoof the serial number, product class and oui based on this provision script (which I wrote) you would get the credentials for the spoofed device. Do you know of a way around this? Because I sure as heck don’t. I mean you can implement device to CWMP authentication, and that would help, but ultimately if an attacker can get those, all bets are off.

Here is what I can tell you from experience. This script has been in production for 3-4 yrs with no issues.

It is fine if all users share the same PPPoE credentials and settings. Otherwise you should check if the serial number in HTTP credentials (different user/pass for each users of course) or subject name in TLS client certificate (again,.different subject and different keys for each user) matches that one in DeviceId elements received from CPE

There is no other option as far as I know.