Sign-up

ID

VAR-201005-0198


CVE

CVE-2010-2025


TITLE

Cisco Scientific Atlanta WebSTAR DPC2100R2 Debug Demodulator Cross-Site Request Forgery Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2010-4421 // CNNVD: CNNVD-201005-370

DESCRIPTION

Multiple cross-site request forgery (CSRF) vulnerabilities in the web interface on the Cisco Scientific Atlanta WebSTAR DPC2100R2 cable modem with firmware 2.0.2r1256-060303 allow remote attackers to hijack the authentication of administrators for requests that (1) reset the modem, (2) erase the firmware, (3) change the administrative password, (4) install modified firmware, or (5) change the access level, as demonstrated by a request to goform/_aslvl. The Cisco DPC2100R2 is a cable TV CABLE MODEM. - Cross-site request forgery attacks. Multiple functions provided by the WEB interface cannot establish a session correctly and restrict access by authorized users. - The Cisco DPC2100R2 device has access control mechanisms of 0-2 (some devices are 0-3). Due to the lack of proper checking for some operations that require authorization, the attacker submits a specially constructed POST request without any verification reset. Equipment and installation of new software. Other attacks are also possible. Firmware versions prior to 2.0.2.r1256-100324as are vulnerable. \xa0Testing was performed on a DPC2100R2 modem, with firmware v2.0.2r1256-060303. 1. \xa0An attacker may create a malicious website that, when visited by a victim, updates these settings on the victim's modem on the victim's behalf without their authorization or need for any additional user interaction. \xa0This issue has been assigned CVE-2010-2025. 2. Insufficient authentication. The modem's access control scheme, which has levels numbered from 0-2 (or 0-3 on some other models), is not properly checked before performing operations that should require authentication, including resetting the modem and installing new firmware. The modem requires the proper access level to access web interface pages containing forms that allow a user to perform these actions, but does not properly authenticate the pages that actually carry out these actions. By sending a POST request directly to these pages, these actions may be performed without any authentication. Attacks may be performed by an attacker on the local network or by leveraging the CSRF vulnerability. This issue has been assigned CVE-2010-2026. ==Identifying Vulnerable Installations== Most home installations of this modem will feature a web interface that is accessible at "http://192.168.100.1". \xa0The following proof-of-concept code may be used to test for vulnerability. \xa0It leverages the CSRF vulnerability to change the access level of your modem to the most restrictive settings (a harmless action). \xa0If your modem is vulnerable, then you will be presented with a message stating that your settings have been successfully updated. \xa0If you are greeted with a page stating there was a "Password confirmation error", then your modem password has been changed from the default but you are still vulnerable. \xa0If you are greeted with an HTTP authentication form or other message, then your model is not vulnerable. <html> <head> <title>Test for CSRF vulnerability in WebSTAR modems</title> </head> <body> <form name="csrf" method="post" action="http://192.168.100.1/goform/_aslvl"> <input type="hidden" name="SAAccessLevel" value="0"> <input type="hidden" name="SAPassword" value="W2402"> </form> <script>document.csrf.submit()</script> </body> </html> ==Solution== In most cases, home users will be unable to update vulnerable firmware without assistance from their cable providers. \xa0For the DPC2100R2 modems, the latest version string is dpc2100R2-v202r1256-100324as. To prevent exploitation of CSRF vulnerabilities, users are always encouraged to practice safe browsing habits and avoid visiting unknown or untrusted websites. ==Credits== These vulnerabilities were discovered by Dan Rosenberg (dan.j.rosenberg@gmail.com). Thanks to Matthew Bergin for suggesting I should look at cable modems. ==Timeline== 1/26/10 - Vulnerability reported to Cisco 1/26/10 - Response, issue assigned internal tracking number 2/26/10 - Status update requested 2/26/10 - Response 5/15/10 - Status update requested 5/17/10 - Response, confirmation that newest firmware resolves issues 5/17/10 - Disclosure date set 5/24/10 - Disclosure ==References== CVE identifiers CVE-2010-2025 and CVE-2010-2026 have been assigned to these issues

Trust: 3.15

sources: NVD: CVE-2010-2025 // JVNDB: JVNDB-2010-004099 // CNVD: CNVD-2010-0946 // CNVD: CNVD-2010-4421 // BID: 40346 // VULHUB: VHN-44630 // PACKETSTORM: 89916

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 1.2

sources: CNVD: CNVD-2010-0946 // CNVD: CNVD-2010-4421

AFFECTED PRODUCTS

vendor:ciscomodel:scientific atlanta webstar dpc2100r2scope:eqversion:2.0.2r1256-060303

Trust: 1.6

vendor:ciscomodel:dpc2100r2 r1256-060303scope:eqversion:2.0.2

Trust: 1.5

vendor:ciscomodel:scientific atlanta webstar dpc2100r2scope:eqversion:firmware 2.0.2r1256-060303

Trust: 0.8

vendor:ciscomodel:dpc2100r2 r1256-100324asscope:neversion:2.0.2

Trust: 0.3

sources: CNVD: CNVD-2010-0946 // CNVD: CNVD-2010-4421 // BID: 40346 // JVNDB: JVNDB-2010-004099 // CNNVD: CNNVD-201005-370 // NVD: CVE-2010-2025

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2010-2025
value: MEDIUM

Trust: 1.0

NVD: CVE-2010-2025
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2010-4421
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201005-370
value: MEDIUM

Trust: 0.6

VULHUB: VHN-44630
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2010-2025
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2010-4421
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-44630
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CNVD: CNVD-2010-4421 // VULHUB: VHN-44630 // JVNDB: JVNDB-2010-004099 // CNNVD: CNNVD-201005-370 // NVD: CVE-2010-2025

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.9

sources: VULHUB: VHN-44630 // JVNDB: JVNDB-2010-004099 // NVD: CVE-2010-2025

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201005-370

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201005-370

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2010-004099

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-44630

PATCH
title:Top Pageurl:http://www.cisco.com/
Trust: 0.8
title:Cisco DPC2100 Secure Bypass and Cross-Site Request Forgery Patchurl:https://www.cnvd.org.cn/patchInfo/show/383
Trust: 0.6
title:Patch for Cisco Scientific Atlanta WebSTAR DPC2100R2 Debug Demodulator Cross-Site Request Forgery Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/37643
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2010-0946 // 
            
            
            
            CNVD: CNVD-2010-4421 // 
            
            
            
            JVNDB: JVNDB-2010-004099

EXTERNAL IDS
db:NVDid:CVE-2010-2025
Trust: 4.1
db:BIDid:40346
Trust: 2.6
db:JVNDBid:JVNDB-2010-004099
Trust: 0.8
db:CNNVDid:CNNVD-201005-370
Trust: 0.7
db:CNVDid:CNVD-2010-0946
Trust: 0.6
db:CNVDid:CNVD-2010-4421
Trust: 0.6
db:NSFOCUSid:15097
Trust: 0.6
db:FULLDISCid:20100524 SCIENTIFIC ATLANTA DPC2100 WEBSTAR CABLE MODEM VULNERABILITIES
Trust: 0.6
db:PACKETSTORMid:89916
Trust: 0.2
db:EXPLOIT-DBid:34033
Trust: 0.1
db:VULHUBid:VHN-44630
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2010-0946 // 
            
            
            
            CNVD: CNVD-2010-4421 // 
            
            
            
            VULHUB: VHN-44630 // 
            
            
            
            BID: 40346 // 
            
            
            
            JVNDB: JVNDB-2010-004099 // 
            
            
            
            PACKETSTORM: 89916 // 
            
            
            
            CNNVD: CNNVD-201005-370 // 
            
            
            
            NVD: CVE-2010-2025

REFERENCES
url:http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0322.html
Trust: 2.6
url:http://www.securityfocus.com/bid/40346
Trust: 2.3
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-2025
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-2025
Trust: 0.8
url:http://www.nsfocus.net/vulndb/15097
Trust: 0.6
url:http://www.cisco.com/
Trust: 0.3
url:https://www.cisco.com),
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2010-2025
Trust: 0.1
url:http://192.168.100.1/goform/_aslvl">
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2010-2026
Trust: 0.1
url:http://192.168.100.1".
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2010-0946 // 
            
            
            
            CNVD: CNVD-2010-4421 // 
            
            
            
            VULHUB: VHN-44630 // 
            
            
            
            BID: 40346 // 
            
            
            
            JVNDB: JVNDB-2010-004099 // 
            
            
            
            PACKETSTORM: 89916 // 
            
            
            
            CNNVD: CNNVD-201005-370 // 
            
            
            
            NVD: CVE-2010-2025

CREDITS
Dan Rosenberg
Trust: 1.0
sources:
            
            
            BID: 40346 // 
            
            
            
            PACKETSTORM: 89916 // 
            
            
            
            CNNVD: CNNVD-201005-370

SOURCES
db:CNVDid:CNVD-2010-0946
db:CNVDid:CNVD-2010-4421
db:VULHUBid:VHN-44630
db:BIDid:40346
db:JVNDBid:JVNDB-2010-004099
db:PACKETSTORMid:89916
db:CNNVDid:CNNVD-201005-370
db:NVDid:CVE-2010-2025

LAST UPDATE DATE
2025-04-11T23:16:50.381000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2010-0946date:2010-05-25T00:00:00
db:CNVDid:CNVD-2010-4421date:2010-05-28T00:00:00
db:VULHUBid:VHN-44630date:2010-05-27T00:00:00
db:BIDid:40346date:2010-05-24T19:32:00
db:JVNDBid:JVNDB-2010-004099date:2012-06-26T00:00:00
db:CNNVDid:CNNVD-201005-370date:2010-05-28T00:00:00
db:NVDid:CVE-2010-2025date:2025-04-11T00:51:21.963

SOURCES RELEASE DATE
db:CNVDid:CNVD-2010-0946date:2010-05-25T00:00:00
db:CNVDid:CNVD-2010-4421date:2010-05-28T00:00:00
db:VULHUBid:VHN-44630date:2010-05-26T00:00:00
db:BIDid:40346date:2010-05-24T00:00:00
db:JVNDBid:JVNDB-2010-004099date:2012-06-26T00:00:00
db:PACKETSTORMid:89916date:2010-05-25T21:34:37
db:CNNVDid:CNNVD-201005-370date:2010-05-28T00:00:00
db:NVDid:CVE-2010-2025date:2010-05-26T19:30:01.390