Sign-up

ID

VAR-201005-0199


CVE

CVE-2010-2026


TITLE

Cisco Scientific Atlanta WebSTAR DPC2100R2 Cable modem Web Vulnerabilities that bypass authentication in the interface

Trust: 0.8

sources: JVNDB: JVNDB-2010-004100

DESCRIPTION

The web interface on the Cisco Scientific Atlanta WebSTAR DPC2100R2 cable modem with firmware 2.0.2r1256-060303 allows remote attackers to bypass authentication, and reset the modem or replace the firmware, via a direct request to an unspecified page. The Cisco DPC2100R2 is a cable TV CABLE MODEM. - Cross-site request forgery attacks. Multiple functions provided by the WEB interface cannot establish a session correctly and restrict access by authorized users. The attacker builds a malicious WEB site, entice the user to click, and can be authorized to change the administrator password, reset the device, install new firmware, and so on. - The Cisco DPC2100R2 device has access control mechanisms of 0-2 (some devices are 0-3). Due to the lack of proper checking for some operations that require authorization, the attacker submits a specially constructed POST request without any verification reset. Equipment and installation of new software. Cisco DPC2100 (formerly Scientific Atlanta DPC2100) is prone to multiple security-bypass and cross-site request-forgery vulnerabilities. Other attacks are also possible. Firmware versions prior to 2.0.2.r1256-100324as are vulnerable. \xa0Testing was performed on a DPC2100R2 modem, with firmware v2.0.2r1256-060303. 1. \xa0An attacker may create a malicious website that, when visited by a victim, updates these settings on the victim's modem on the victim's behalf without their authorization or need for any additional user interaction. \xa0This issue has been assigned CVE-2010-2025. 2. Insufficient authentication. The modem's access control scheme, which has levels numbered from 0-2 (or 0-3 on some other models), is not properly checked before performing operations that should require authentication, including resetting the modem and installing new firmware. The modem requires the proper access level to access web interface pages containing forms that allow a user to perform these actions, but does not properly authenticate the pages that actually carry out these actions. By sending a POST request directly to these pages, these actions may be performed without any authentication. Attacks may be performed by an attacker on the local network or by leveraging the CSRF vulnerability. This issue has been assigned CVE-2010-2026. ==Identifying Vulnerable Installations== Most home installations of this modem will feature a web interface that is accessible at "http://192.168.100.1". \xa0The following proof-of-concept code may be used to test for vulnerability. \xa0It leverages the CSRF vulnerability to change the access level of your modem to the most restrictive settings (a harmless action). \xa0If your modem is vulnerable, then you will be presented with a message stating that your settings have been successfully updated. \xa0If you are greeted with a page stating there was a "Password confirmation error", then your modem password has been changed from the default but you are still vulnerable. \xa0If you are greeted with an HTTP authentication form or other message, then your model is not vulnerable. <html> <head> <title>Test for CSRF vulnerability in WebSTAR modems</title> </head> <body> <form name="csrf" method="post" action="http://192.168.100.1/goform/_aslvl"> <input type="hidden" name="SAAccessLevel" value="0"> <input type="hidden" name="SAPassword" value="W2402"> </form> <script>document.csrf.submit()</script> </body> </html> ==Solution== In most cases, home users will be unable to update vulnerable firmware without assistance from their cable providers. \xa0For the DPC2100R2 modems, the latest version string is dpc2100R2-v202r1256-100324as. To prevent exploitation of CSRF vulnerabilities, users are always encouraged to practice safe browsing habits and avoid visiting unknown or untrusted websites. ==Credits== These vulnerabilities were discovered by Dan Rosenberg (dan.j.rosenberg@gmail.com). Thanks to Matthew Bergin for suggesting I should look at cable modems. ==Timeline== 1/26/10 - Vulnerability reported to Cisco 1/26/10 - Response, issue assigned internal tracking number 2/26/10 - Status update requested 2/26/10 - Response 5/15/10 - Status update requested 5/17/10 - Response, confirmation that newest firmware resolves issues 5/17/10 - Disclosure date set 5/24/10 - Disclosure ==References== CVE identifiers CVE-2010-2025 and CVE-2010-2026 have been assigned to these issues

Trust: 3.15

sources: NVD: CVE-2010-2026 // JVNDB: JVNDB-2010-004100 // CNVD: CNVD-2010-0946 // CNVD: CNVD-2010-4420 // BID: 40346 // VULHUB: VHN-44631 // PACKETSTORM: 89916

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 1.2

sources: CNVD: CNVD-2010-0946 // CNVD: CNVD-2010-4420

AFFECTED PRODUCTS

vendor:ciscomodel:scientific atlanta webstar dpc2100r2scope:eqversion:2.0.2r1256-060303

Trust: 1.6

vendor:ciscomodel:dpc2100r2 r1256-060303scope:eqversion:2.0.2

Trust: 1.5

vendor:ciscomodel:scientific atlanta webstar dpc2100r2scope:eqversion:firmware 2.0.2r1256-060303

Trust: 0.8

vendor:ciscomodel:dpc2100r2 r1256-100324asscope:neversion:2.0.2

Trust: 0.3

sources: CNVD: CNVD-2010-0946 // CNVD: CNVD-2010-4420 // BID: 40346 // JVNDB: JVNDB-2010-004100 // CNNVD: CNNVD-201005-371 // NVD: CVE-2010-2026

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2010-2026
value: MEDIUM

Trust: 1.0

NVD: CVE-2010-2026
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2010-4420
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201005-371
value: MEDIUM

Trust: 0.6

VULHUB: VHN-44631
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2010-2026
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2010-4420
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-44631
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CNVD: CNVD-2010-4420 // VULHUB: VHN-44631 // JVNDB: JVNDB-2010-004100 // CNNVD: CNNVD-201005-371 // NVD: CVE-2010-2026

PROBLEMTYPE DATA

problemtype:CWE-287

Trust: 1.9

sources: VULHUB: VHN-44631 // JVNDB: JVNDB-2010-004100 // NVD: CVE-2010-2026

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201005-371

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201005-371

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2010-004100

PATCH
title:Top Pageurl:http://www.cisco.com/
Trust: 0.8
title:Cisco DPC2100 Secure Bypass and Cross-Site Request Forgery Patchurl:https://www.cnvd.org.cn/patchInfo/show/383
Trust: 0.6
title:Cisco Scientific Atlanta WebSTAR DPC2100R2 Cable Modem Bypass Patch for Authentication Vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/37642
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2010-0946 // 
            
            
            
            CNVD: CNVD-2010-4420 // 
            
            
            
            JVNDB: JVNDB-2010-004100

EXTERNAL IDS
db:NVDid:CVE-2010-2026
Trust: 4.1
db:BIDid:40346
Trust: 2.6
db:JVNDBid:JVNDB-2010-004100
Trust: 0.8
db:CNNVDid:CNNVD-201005-371
Trust: 0.7
db:CNVDid:CNVD-2010-0946
Trust: 0.6
db:CNVDid:CNVD-2010-4420
Trust: 0.6
db:NSFOCUSid:15097
Trust: 0.6
db:FULLDISCid:20100524 SCIENTIFIC ATLANTA DPC2100 WEBSTAR CABLE MODEM VULNERABILITIES
Trust: 0.6
db:VULHUBid:VHN-44631
Trust: 0.1
db:PACKETSTORMid:89916
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2010-0946 // 
            
            
            
            CNVD: CNVD-2010-4420 // 
            
            
            
            VULHUB: VHN-44631 // 
            
            
            
            BID: 40346 // 
            
            
            
            JVNDB: JVNDB-2010-004100 // 
            
            
            
            PACKETSTORM: 89916 // 
            
            
            
            CNNVD: CNNVD-201005-371 // 
            
            
            
            NVD: CVE-2010-2026

REFERENCES
url:http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0322.html
Trust: 2.6
url:http://www.securityfocus.com/bid/40346
Trust: 2.3
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-2026
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-2026
Trust: 0.8
url:http://www.nsfocus.net/vulndb/15097
Trust: 0.6
url:http://www.cisco.com/
Trust: 0.3
url:https://www.cisco.com),
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2010-2025
Trust: 0.1
url:http://192.168.100.1/goform/_aslvl">
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2010-2026
Trust: 0.1
url:http://192.168.100.1".
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2010-0946 // 
            
            
            
            CNVD: CNVD-2010-4420 // 
            
            
            
            VULHUB: VHN-44631 // 
            
            
            
            BID: 40346 // 
            
            
            
            JVNDB: JVNDB-2010-004100 // 
            
            
            
            PACKETSTORM: 89916 // 
            
            
            
            CNNVD: CNNVD-201005-371 // 
            
            
            
            NVD: CVE-2010-2026

CREDITS
Dan Rosenberg
Trust: 1.0
sources:
            
            
            BID: 40346 // 
            
            
            
            PACKETSTORM: 89916 // 
            
            
            
            CNNVD: CNNVD-201005-371

SOURCES
db:CNVDid:CNVD-2010-0946
db:CNVDid:CNVD-2010-4420
db:VULHUBid:VHN-44631
db:BIDid:40346
db:JVNDBid:JVNDB-2010-004100
db:PACKETSTORMid:89916
db:CNNVDid:CNNVD-201005-371
db:NVDid:CVE-2010-2026

LAST UPDATE DATE
2025-04-11T23:16:50.312000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2010-0946date:2010-05-25T00:00:00
db:CNVDid:CNVD-2010-4420date:2010-05-28T00:00:00
db:VULHUBid:VHN-44631date:2010-05-27T00:00:00
db:BIDid:40346date:2010-05-24T19:32:00
db:JVNDBid:JVNDB-2010-004100date:2012-06-26T00:00:00
db:CNNVDid:CNNVD-201005-371date:2010-05-28T00:00:00
db:NVDid:CVE-2010-2026date:2025-04-11T00:51:21.963

SOURCES RELEASE DATE
db:CNVDid:CNVD-2010-0946date:2010-05-25T00:00:00
db:CNVDid:CNVD-2010-4420date:2010-05-28T00:00:00
db:VULHUBid:VHN-44631date:2010-05-26T00:00:00
db:BIDid:40346date:2010-05-24T00:00:00
db:JVNDBid:JVNDB-2010-004100date:2012-06-26T00:00:00
db:PACKETSTORMid:89916date:2010-05-25T21:34:37
db:CNNVDid:CNNVD-201005-371date:2010-05-28T00:00:00
db:NVDid:CVE-2010-2026date:2010-05-26T19:30:01.483