Cisco fixes critical flaw in modems and wireless gateways
Posted on 17 July 2014.
Cisco has fixed a critical vulnerability affecting a number of its wireless residential gateways and cable modems, and is urging users to check whether their service providers and third-party support organizations have pushed out the upgraded software with the fix.

Customers without service contracts should request free upgrades through the Cisco Technical Assistance Center (contact information can be found here).

The vulnerability, which was awarded the maximum severity score even though there isn't evidence it is currently being used in attacks, "could allow an unauthenticated, remote attacker to exploit a buffer overflow and cause arbitrary code execution."

"The vulnerability is due to incorrect input validation for HTTP requests," Cisco explained in an advisory published on Wednesday.

"An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. Successful exploitation could allow the attacker to crash the web server and execute arbitrary code with elevated privileges. This vulnerability exists whether the device is configured in Router mode or Gateway mode."

There is no workaround for the flaw - updating the software is the only way to remove the risk that the vulnerability poses.

Affected products are:
  • Cisco DPC3212 VoIP Cable Modem
  • Cisco DPC3825 8x4 DOCSIS 3.0 Wireless Residential Gateway
  • Cisco EPC3212 VoIP Cable Modem
  • Cisco EPC3825 8x4 DOCSIS 3.0 Wireless Residential Gateway
  • Cisco Model DPC3010 DOCSIS 3.0 8x4 Cable Modem
  • Cisco Model DPC3925 8x4 DOCSIS 3.0 with Wireless Residential Gateway with EDVA
  • Cisco Model DPQ3925 8x4 DOCSIS 3.0 Wireless Residential Gateway with EDVA
  • Cisco Model EPC3010 DOCSIS 3.0 Cable Modem
  • Cisco Model EPC3925 8x4 DOCSIS 3.0 with Wireless Residential Gateway with EDVA.
This vulnerability was discovered and reported to Cisco by Chris Watts of Tech Analysis.









Spotlight

Whitepaper: Zero Trust approach to network security

Posted on 20 November 2014.  |  Zero Trust is an alternative security model that addresses the shortcomings of failing perimeter-centric strategies by removing the assumption of trust.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Mon, Nov 24th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //