Flaw exposes some Cisco home wireless devices to hacking
Specially crafted HTTP requests could trigger remote code execution on the affected devices, Cisco said
IDG News Service - Nine of Cisco's home and small office cable modems with router and wireless access point functionality need software updates to fix a critical vulnerability that could allow remote attackers to completely compromise them.
The company has shared the software updates with service providers, so users who obtained the affected equipment from their ISPs or other Cisco resellers should contact those organizations.
The vulnerability is a buffer overflow that results from incorrect validation of input in HTTP requests. If left unpatched, it allows remote, unauthenticated attackers to inject commands and execute arbitrary code with elevated privileges.
"An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device," Cisco said in a security advisory. "This vulnerability exists whether the device is configured in Router mode or Gateway mode."
The flaw received the highest criticality rating (10.0) on the Common Vulnerability Scoring System (CVSS), which means it can completely compromise the confidentiality, integrity and availability of the targeted device.
The affected wireless residential gateway products, as Cisco calls them, are: Cisco DPC3212 VoIP Cable Modem, Cisco DPC3825 8x4 DOCSIS 3.0 Wireless Residential Gateway, Cisco EPC3212 VoIP Cable Modem, Cisco EPC3825 8x4 DOCSIS 3.0 Wireless Residential Gateway, Cisco Model DPC3010 DOCSIS 3.0 8x4 Cable Modem, Cisco Model DPC3925 8x4 DOCSIS 3.0 with Wireless Residential Gateway with EDVA, Cisco Model DPQ3925 8x4 DOCSIS 3.0 Wireless Residential Gateway with EDVA, Cisco Model EPC3010 DOCSIS 3.0 Cable Modem and Cisco Model EPC3925 8x4 DOCSIS 3.0 with Wireless Residential Gateway with EDVA.
There is currently no workaround for addressing this vulnerability aside from updating the software.
Users with direct Cisco service contracts can obtain the patched software versions directly from the company's website and those without such contracts should contact the Cisco Technical Assistance Center.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Big Data, Big Mess: Sound Risk Intelligence Through Complete Context This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Malware and Vulnerabilities White Papers | Webcasts