Cisco Scientific Atlanta D20 and D30 based cable modems contain a vulnerability that could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks. Updates will be available.
Cisco Scientific Atlanta cable modems (D20 and D30 based products) contain a vulnerability that could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks.
The vulnerability is due to insufficient sanitization of user-supplied input to the web wizard setup web page. An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to visit a website that is designed to submit a crafted HTTP POST request to the web interface of the affected product. If the user visits the malicious page, the attacker could execute arbitrary script code in the user's browser with the security context of the affected site.
Proof-of-concept code is publicly available.
Cisco has confirmed this vulnerability, and updates will be made available to service providers.
This vulnerability affects all versions of DOCSIS 3.0 CPE and prior for Cisco Scientific Atlanta cable models D20 and D30 based products:
DPC/EPC2100 Cable Modem
DPC/EPC2505 Cable Modem
DPC3000/EPC3000 Cable Modem
DPC3008/EPC3008 Cable Modem
DPC/EPC3010 Cable Modem
DPQ/EPQ2160 DOCSIS 2.0 Cable Modem
DPX100/120 Cable Modem
DPX110 Cable Modem
DPX130 Cable Modem
DPX/EPX2100 Cable Modem
DPC/EPC2202 VoIP Cable Modem
DPC/EPC2203 VoIP Cable Modem
DPC/EPC 3208 VoIP Cable Modem
DPC/EPC3212 VoIP Cable Modem
DPQ2202 VoIP Cable Modem
DPQ3212 VoIP Cable Modem
DPX213 VoIP Cable Modem
DPX/EPX2203 VoIP Cable Modem
DPX/EPX2203C VoIP Cable Modem
DPX2213 VoIP Cable Modem
DPC/EPC2325 Residential Gateway with Wireless Access Point
DPC/EPC2434 VoIP Wireless Home Gateway
DPC2420 and EPC2420 Wireless Residential Gateway with Embedded Digital Voice Adapter
DPC3825 and EPC3825 8x4 DOCSIS 3.0 Wireless Residential Gateway
DPC3925 and EPC3925 8x4 DOCSIS 3.0 Wireless Residential Gateway with EDVA
DPC/EPC2425 Wireless Residential Gateway with Embedded Digital Voice Adapter
DPQ2425 Wireless Residential Gateway with Digital Voice Adapter
DPQ3925 8x4 DOCSIS 3.0 Wireless Residential Gateway with EDVA
DPR362 Cable Modem and Router
DPR/EPR2320, DPR2325 Cable Modem with Wireless Access Point
WAG310G Wireless-G ADSL2+ Gateway with VoIP
DPW700 Wireless LAN Adapter PCMCIA Card
DPW730 Wireless Networking Adapter
DPW939 USB Wireless Networking Adapter
DPW941 Wireless Ethernet Adapter
Cisco PSIRT reports that the vulnerability was first identified on an end-of-life (EOL) product, the DPR2320R2 Gateway. There is no fix planned for this EOL product. Newer-generation DOCSIS 2.0 products will have fixes made available through future releases. A fix for all DOCSIS 3.0 CPE based products will be in the next GA release.
Updates are not available to end users; updates will be made available to service providers for deployment to their end users at their discretion.
To exploit the vulnerability, the attacker may provide a link via e-mail, instant messaging, or another form of communication that directs a user to a malicious site and use misleading language or instructions to persuade the user to follow the provided link.
Cisco would like to thank Marcos M. Garcia (@artsweb) for discovering this vulnerability.
Vendor announcements are not available.
An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary script code in the user's browser in the security context of the affected site. Code execution could allow the attacker to take actions as the user on that site or obtain recently submitted data.
The vulnerability is due to insufficient sanitization of user-supplied input to the VPDN Termination Setup web wizard TunnelName parameter and the Parental Control - Basic Setup web wizard Keyword parameter by the affected software when evaluating HTTP POST variables.
An unauthenticated, remote attacker could exploit this vulnerability by constructing a web page that submits a crafted HTTP POST request to the affected application. When the malicious request is processed by the affected application, the application may return a response to the user that contains attacker-supplied script code that could execute in the user's browser with the security context of the affected site.
Administrators are advised to contact the vendor regarding future updates and releases.
Users are advised not to open e-mail messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in e-mail messages are safe, they are advised not to open them.
The security vulnerability applies to the following combinations of products.
Cisco Scientific Atlanta WebSTAR Cable Modem
DPC/EPC Series Cable Modem Base | DPX/EPX Series Cable Modem Base | DPQ/EPQ Series Cable Modem Base | DPC/EPC Series VoIP Cable Modem Base | DPX/EPX Series VoIP Cable Modem Base | DPQ/EPQ Series VoIP Cable Modem Base | DPC/EPC Series Residential Gateway Base | DPQ Series Residential Gateway Base | DPR Series Residential Gateway Base | DPW Series Wireless Network Adapter Base
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.