Vulnerability exposes some Cisco home wireless devices to hacking

Specially crafted HTTP requests could trigger remote code execution on the affected devices, Cisco said

Nine of Cisco's home and small office cable modems with router and wireless access point functionality need software updates to fix a critical vulnerability that could allow remote attackers to completely compromise them.

The company has shared the software updates with service providers, so users who obtained the affected equipment from their ISPs or other Cisco resellers should contact those organizations.

The vulnerability is a buffer overflow that results from incorrect validation of input in HTTP requests. If left unpatched, it allows remote, unauthenticated attackers to inject commands and execute arbitrary code with elevated privileges.

"An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device," Cisco said in a security advisory. "This vulnerability exists whether the device is configured in Router mode or Gateway mode."

The flaw received the highest criticality rating (10.0) on the Common Vulnerability Scoring System (CVSS), which means it can completely compromise the confidentiality, integrity and availability of the targeted device.

The affected wireless residential gateway products, as Cisco calls them, are: Cisco DPC3212 VoIP Cable Modem, Cisco DPC3825 8x4 DOCSIS 3.0 Wireless Residential Gateway, Cisco EPC3212 VoIP Cable Modem, Cisco EPC3825 8x4 DOCSIS 3.0 Wireless Residential Gateway, Cisco Model DPC3010 DOCSIS 3.0 8x4 Cable Modem, Cisco Model DPC3925 8x4 DOCSIS 3.0 with Wireless Residential Gateway with EDVA, Cisco Model DPQ3925 8x4 DOCSIS 3.0 Wireless Residential Gateway with EDVA, Cisco Model EPC3010 DOCSIS 3.0 Cable Modem and Cisco Model EPC3925 8x4 DOCSIS 3.0 with Wireless Residential Gateway with EDVA.

There is currently no workaround for addressing this vulnerability aside from updating the software.

Users with direct Cisco service contracts can obtain the patched software versions directly from the company's website and those without such contracts should contact the Cisco Technical Assistance Center.

Join the PC World newsletter!

Error: Please check your email address.

Tags networking hardwarepatchesCisco SystemsintrusionsecurityNetworkingExploits / vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?