Cisco Security Advisory
Click Icon to Copy Verbose Score
AV:N/AC:M/Au:N/C:N/I:P/A:N/E:POC/RL:U/RC:C
-
Cisco Scientific Atlanta cable modems (D20 and D30 based products) contain a vulnerability that could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks.
The vulnerability is due to insufficient sanitization of user-supplied input to the web wizard setup web page. An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to visit a website that is designed to submit a crafted HTTP POST request to the web interface of the affected product. If the user visits the malicious page, the attacker could execute arbitrary script code in the user's browser with the security context of the affected site.
Proof-of-concept code is publicly available.
Cisco has confirmed this vulnerability, and updates will be made available to service providers.
Cisco PSIRT reports that the vulnerability was first identified on an end-of-life (EOL) product, the DPR2320R2 Gateway. There is no fix planned for this EOL product. Newer-generation DOCSIS 2.0 products will have fixes made available through future releases. A fix for all DOCSIS 3.0 CPE based products will be in the next GA release.
Updates are not available to end users; updates will be made available to service providers for deployment to their end users at their discretion.
To exploit the vulnerability, the attacker may provide a link via e-mail, instant messaging, or another form of communication that directs a user to a malicious site and use misleading language or instructions to persuade the user to follow the provided link.
Cisco would like to thank Marcos M. Garcia (@artsweb) for discovering this vulnerability.
-
Vendor announcements are not available.
Vulnerable Products
This vulnerability affects all versions of DOCSIS 3.0 CPE and prior for Cisco Scientific Atlanta cable models D20 and D30 based products:
- DPC/EPC2100 Cable Modem
- DPC/EPC2505 Cable Modem
- DPC3000/EPC3000 Cable Modem
- DPC3008/EPC3008 Cable Modem
- DPC/EPC3010 Cable Modem
- DPQ/EPQ2160 DOCSIS 2.0 Cable Modem
- DPX100/120 Cable Modem
- DPX110 Cable Modem
- DPX130 Cable Modem
- DPX/EPX2100 Cable Modem
- DPC/EPC2202 VoIP Cable Modem
- DPC/EPC2203 VoIP Cable Modem
- DPC/EPC 3208 VoIP Cable Modem
- DPC/EPC3212 VoIP Cable Modem
- DPQ2202 VoIP Cable Modem
- DPQ3212 VoIP Cable Modem
- DPX213 VoIP Cable Modem
- DPX/EPX2203 VoIP Cable Modem
- DPX/EPX2203C VoIP Cable Modem
- DPX2213 VoIP Cable Modem
- DPC/EPC2325 Residential Gateway with Wireless Access Point
- DPC/EPC2434 VoIP Wireless Home Gateway
- DPC2420 and EPC2420 Wireless Residential Gateway with Embedded Digital Voice Adapter
- DPC3825 and EPC3825 8x4 DOCSIS 3.0 Wireless Residential Gateway
- DPC3925 and EPC3925 8x4 DOCSIS 3.0 Wireless Residential Gateway with EDVA
- DPC/EPC2425 Wireless Residential Gateway with Embedded Digital Voice Adapter
- DPQ2425 Wireless Residential Gateway with Digital Voice Adapter
- DPQ3925 8x4 DOCSIS 3.0 Wireless Residential Gateway with EDVA
- DPR362 Cable Modem and Router
- DPR/EPR2320, DPR2325 Cable Modem with Wireless Access Point
- WAG310G Wireless-G ADSL2+ Gateway with VoIP
- DPW700 Wireless LAN Adapter PCMCIA Card
- DPW730 Wireless Networking Adapter
- DPW939 USB Wireless Networking Adapter
- DPW941 Wireless Ethernet Adapter
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
-
Administrators are advised to contact the vendor regarding future updates and releases.
Users are advised not to open e-mail messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in e-mail messages are safe, they are advised not to open them.
The Cisco Applied Intelligence team has created the following companion document to guide administrators in identifying and mitigating attempts to exploit this vulnerability prior to applying updated software:
Understanding Cross-Site Scripting (XSS) Threat VectorsUsers should verify that unsolicited links are safe to follow.
Administrators are advised to monitor affected systems.
-
Cisco will be releasing fixed software versions in an upcoming GA release for the following products:
- DPC3008/EPC3008 Cable Modem
- DPC/EPC3010 Cable Modem
- DPC/EPC3212 VoIP Cable Modem
- DPC/EPC 3208 VoIP Cable Modem
- DPC3825 and EPC3825 8x4 DOCSIS 3.0 Wireless Residential Gateway
- DPC3925 and EPC3925 8x4 DOCSIS 3.0 Wireless Residential Gateway with EDVA
Service providers will be able to issue the update to the firmware on the consumers' behalf as part of their software maintenance procedures.
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show LessVersion Description Section Status Date 1.0 Initial Release NA Final 2012-Jun-13
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.