Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Vulnerability Alert

Cisco Scientific Atlanta D20 and D30 Based Cable Modem Cross-Site Scripting Vulnerability

 
Threat Type:CWE-79: Cross-Site Scripting (XSS)
IntelliShield ID:26036
Version:1
First Published:2012 June 13 15:31 GMT
Last Published:2012 June 13 15:31 GMT
Port: Not available
CVE:CVE-2012-3047
Urgency:Unlikely Use
Credibility:Confirmed
Severity:Mild Damage
CVSS Base:4.3 CVSS Calculator
CVSS Version 2.0
CVSS Temporal:3.9
 
Version Summary:

Cisco Scientific Atlanta D20 and D30 based cable modems contain a vulnerability that could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks. Updates will be available.

 
 
Description

Cisco Scientific Atlanta cable modems (D20 and D30 based products) contain a vulnerability that could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks.

The vulnerability is due to insufficient sanitization of user-supplied input to the web wizard setup web page. An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to visit a website that is designed to submit a crafted HTTP POST request to the web interface of the affected product. If the user visits the malicious page, the attacker could execute arbitrary script code in the user's browser with the security context of the affected site.

Proof-of-concept code is publicly available.

Cisco has confirmed this vulnerability, and updates will be made available to service providers.

 
Warning Indicators

This vulnerability affects all versions of DOCSIS 3.0 CPE and prior for Cisco Scientific Atlanta cable models D20 and D30 based products:

  • DPC/EPC2100 Cable Modem
  • DPC/EPC2505 Cable Modem
  • DPC3000/EPC3000 Cable Modem
  • DPC3008/EPC3008 Cable Modem
  • DPC/EPC3010 Cable Modem
  • DPQ/EPQ2160 DOCSIS 2.0 Cable Modem
  • DPX100/120 Cable Modem
  • DPX110 Cable Modem
  • DPX130 Cable Modem
  • DPX/EPX2100 Cable Modem
  • DPC/EPC2202 VoIP Cable Modem
  • DPC/EPC2203 VoIP Cable Modem
  • DPC/EPC 3208 VoIP Cable Modem
  • DPC/EPC3212 VoIP Cable Modem
  • DPQ2202 VoIP Cable Modem
  • DPQ3212 VoIP Cable Modem
  • DPX213 VoIP Cable Modem
  • DPX/EPX2203 VoIP Cable Modem
  • DPX/EPX2203C VoIP Cable Modem
  • DPX2213 VoIP Cable Modem
  • DPC/EPC2325 Residential Gateway with Wireless Access Point
  • DPC/EPC2434 VoIP Wireless Home Gateway
  • DPC2420 and EPC2420 Wireless Residential Gateway with Embedded Digital Voice Adapter
  • DPC3825 and EPC3825 8x4 DOCSIS 3.0 Wireless Residential Gateway
  • DPC3925 and EPC3925 8x4 DOCSIS 3.0 Wireless Residential Gateway with EDVA
  • DPC/EPC2425 Wireless Residential Gateway with Embedded Digital Voice Adapter
  • DPQ2425 Wireless Residential Gateway with Digital Voice Adapter
  • DPQ3925 8x4 DOCSIS 3.0 Wireless Residential Gateway with EDVA
  • DPR362 Cable Modem and Router
  • DPR/EPR2320, DPR2325 Cable Modem with Wireless Access Point
  • WAG310G Wireless-G ADSL2+ Gateway with VoIP
  • DPW700 Wireless LAN Adapter PCMCIA Card
  • DPW730 Wireless Networking Adapter
  • DPW939 USB Wireless Networking Adapter
  • DPW941 Wireless Ethernet Adapter
 
IntelliShield Analysis

Cisco PSIRT reports that the vulnerability was first identified on an end-of-life (EOL) product, the DPR2320R2 Gateway. There is no fix planned for this EOL product. Newer-generation DOCSIS 2.0 products will have fixes made available through future releases. A fix for all DOCSIS 3.0 CPE based products will be in the next GA release.

Updates are not available to end users; updates will be made available to service providers for deployment to their end users at their discretion.

To exploit the vulnerability, the attacker may provide a link via e-mail, instant messaging, or another form of communication that directs a user to a malicious site and use misleading language or instructions to persuade the user to follow the provided link.

Cisco would like to thank Marcos M. Garcia (@artsweb) for discovering this vulnerability.

 
Vendor Announcements

Vendor announcements are not available.

 
Impact
An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary script code in the user's browser in the security context of the affected site. Code execution could allow the attacker to take actions as the user on that site or obtain recently submitted data.
 
Technical Information

The vulnerability is due to insufficient sanitization of user-supplied input to the VPDN Termination Setup web wizard TunnelName parameter and the Parental Control - Basic Setup web wizard Keyword parameter by the affected software when evaluating HTTP POST variables.

An unauthenticated, remote attacker could exploit this vulnerability by constructing a web page that submits a crafted HTTP POST request to the affected application. When the malicious request is processed by the affected application, the application may return a response to the user that contains attacker-supplied script code that could execute in the user's browser with the security context of the affected site.

 
Safeguards

Administrators are advised to contact the vendor regarding future updates and releases.

Users are advised not to open e-mail messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in e-mail messages are safe, they are advised not to open them.

The Cisco Applied Intelligence team has created the following companion document to guide administrators in identifying and mitigating attempts to exploit this vulnerability prior to applying updated software:
Understanding Cross-Site Scripting (XSS) Threat Vectors

Users should verify that unsolicited links are safe to follow.

Administrators are advised to monitor affected systems.

 
Patches/Software

Cisco will be releasing fixed software versions in an upcoming GA release for the following products:

  • DPC3008/EPC3008 Cable Modem
  • DPC/EPC3010 Cable Modem
  • DPC/EPC3212 VoIP Cable Modem
  • DPC/EPC 3208 VoIP Cable Modem
  • DPC3825 and EPC3825 8x4 DOCSIS 3.0 Wireless Residential Gateway
  • DPC3925 and EPC3925 8x4 DOCSIS 3.0 Wireless Residential Gateway with EDVA

Service providers will be able to issue the update to the firmware on the consumers' behalf as part of their software maintenance procedures.

 
Alert History
 

Initial Release



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
CiscoCisco Scientific Atlanta WebSTAR Cable Modem DPC/EPC Series Cable Modem Base | DPX/EPX Series Cable Modem Base | DPQ/EPQ Series Cable Modem Base | DPC/EPC Series VoIP Cable Modem Base | DPX/EPX Series VoIP Cable Modem Base | DPQ/EPQ Series VoIP Cable Modem Base | DPC/EPC Series Residential Gateway Base | DPQ Series Residential Gateway Base | DPR Series Residential Gateway Base | DPW Series Wireless Network Adapter Base

Associated Products:
N/A




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield