Cisco Security Advisory
Cisco Wireless Residential Gateway Remote Code Execution Vulnerability
Click Icon to Copy Verbose Score
AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C
-
A vulnerability in the web server used in multiple Cisco Wireless Residential Gateway products could allow an unauthenticated, remote attacker to exploit a buffer overflow and cause arbitrary code execution.
The vulnerability is due to incorrect input validation for HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/ciscosa-20140716-cm
-
Cisco has confirmed that only the products listed in the Vulnerable Products section running software based on BFC 5.5.2 or older are vulnerable. For those customers running software versions based on BFC 5.5.2 or older, they may obtain the software update by following the instructions listed under the "Obtaining Fixed Software" section. All BFC 5.5.3 based software and newer does not contain this vulnerability.
Vulnerable Products
The following Cisco products are affected by this vulnerability:- Cisco DPC3212 VoIP Cable Modem
- Cisco DPC3825 8x4 DOCSIS 3.0 Wireless Residential Gateway
- Cisco EPC3212 VoIP Cable Modem
- Cisco EPC3825 8x4 DOCSIS 3.0 Wireless Residential Gateway
- Cisco Model DPC3010 DOCSIS 3.0 8x4 Cable Modem
- Cisco Model DPC3925 8x4 DOCSIS 3.0 with Wireless Residential Gateway with EDVA
- Cisco Model DPQ3925 8x4 DOCSIS 3.0 Wireless Residential Gateway with EDVA
- Cisco Model EPC3010 DOCSIS 3.0 Cable Modem
- Cisco Model EPC3925 8x4 DOCSIS 3.0 with Wireless Residential Gateway with EDVA
Products Confirmed Not Vulnerable
- Cisco Model DCP2100 DOCSIS 2.0 Cable Modem
- Cisco Model DPC3008 DOCSIS 3.0 8x4 Cable Modem
- Cisco Model DPC3208 8x4 DOCSIS 3.0 Cable Modem
- Cisco Model DPC3828 DOCSIS 3.0 8x4 Residential Wireless Gateway
- Cisco Model DPC3928 DOCSIS 3.0 8x4 Wireless Residential Gateway
- Cisco Model EPC2425 EuroDOCSIS 2.0 Cable Modem
- Cisco Model EPC3008 EuroDOCSIS 3.0 8x4 VoIP Cable Modem
- Cisco Model EPC3208 8x4 DOCSIS 3.0 Cable Modem
- Cisco Model EPC3828 EuroDOCSIS 3.0 8x4 Residential Wireless Gateway
- Cisco Model EPC3928 EuroDOCSIS 3.0 8x4 Wireless Residential Gateway
- Scientific Atlanta DPR2320 Cable Modem
- Scientific Atlanta DPX 2000 Cable Modem
- Scientific Atlanta EPC2203 VoIP Cable Modem
- WebSTAR DPX2100 Cable Modem
- WebSTAR DPX2203C VoIP Cable Modem
- WebSTAR EPC2100R2 Cable Modem
- WebSTAR EPR2325 EuroDOCSIS Residential Gateway with Wireless Access Point
-
A vulnerability in the web server used in multiple Cisco Wireless Residential Gateway products could allow an unauthenticated, remote attacker to exploit a buffer overflow and cause arbitrary code execution.
The vulnerability is due to incorrect input validation for HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. Successful exploitation could allow the attacker to crash the web server and execute arbitrary code with elevated privileges. This vulnerability exists whether the device is configured in Router mode or Gateway mode.
Cisco has released software updates to its service provider customers that address the vulnerability described in this advisory. Prior to contacting Cisco TAC, customers are advised to contact their service providers to confirm the software deployed by the service provider includes the fix that addresses this vulnerability.
This vulnerability is documented in Cisco bug ID CSCup40808 (registered customers only) and has been assigned the Common Vulnerabilities and Exposures (CVE) ID CVE-2014-3306.
-
There are currently no known workarounds available for this vulnerability.
-
When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
This vulnerability was reported to Cisco by Chris Watts of Tech Analysis. Cisco would like to thank him for reporting this issue to Cisco PSIRT.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show LessRevision 1.1 2014-July-18 Added fixed version information in the Vulnerable Products section. Revision 1.0 2014-July-16 Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.