Details of VAR-201511-0053

ID

VAR-201511-0053

CVE

CVE-2015-7289

TITLE

ARRIS cable modems generate passwords deterministically and contain XSS and CSRF vulnerabilities

Trust: 0.8

sources: CERT/CC: VU#419568

DESCRIPTION

Arris DG860A, TG862A, and TG862G devices with firmware TS0703128_100611 through TS0705125D_031115 have a hardcoded administrator password derived from a serial number, which makes it easier for remote attackers to obtain access via the web management interface, SSH, TELNET, or SNMP. Multiple models of ARRIS cable modems contain multiple, deterministically generated backdoor passwords, as well as multiple cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities. Arris DG860A, TG862A and TG862G are modem products of the American Arris Group. A remote attacker can exploit the vulnerability to gain access through the web administration interface. A cross-site scripting vulnerability 2. A cross-site request-forgery vulnerability 3. Multiple security-bypass vulnerabilities An attacker can exploit these issues to bypass security restrictions and perform unauthorized actions, execute attacker-supplied HTML or JavaScript code in the context of the affected site or to steal cookie-based authentication credentials. This may aid in further attacks. The following products and versions are affected: Arris DG860A, TG862A, TG862G using firmware versions TS0703128_100611 to TS0705125D_031115

Trust: 3.24

sources: NVD: CVE-2015-7289 // CERT/CC: VU#419568 // JVNDB: JVNDB-2015-006007 // CNVD: CNVD-2015-07833 // BID: 77674 // VULHUB: VHN-85250

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2015-07833

AFFECTED PRODUCTS

vendor:	arris	model:	na model 862 gw mono	scope:	eq	version:	ts0703135_112211	Trust: 1.6
vendor:	arris	model:	na model 862 gw mono	scope:	eq	version:	ts0705125d_031115	Trust: 1.6
vendor:	arris	model:	na model 862 gw mono	scope:	eq	version:	ts070593c_073013	Trust: 1.6
vendor:	arris	model:	na model 862 gw mono	scope:	eq	version:	ts0705125_062314	Trust: 1.6
vendor:	arris	model:	na model 862 gw mono	scope:	eq	version:	ts0703128_100611	Trust: 1.6
vendor:	arris	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	arris group	model:	dg860a	scope:	-	version:	-	Trust: 0.8
vendor:	arris group	model:	na.model 862.gw.mono	scope:	eq	version:	ts0703128_100611 to ts0705125d_031115	Trust: 0.8
vendor:	arris group	model:	tg862a	scope:	-	version:	-	Trust: 0.8
vendor:	arris group	model:	tg862g	scope:	-	version:	-	Trust: 0.8
vendor:	arris	model:	dg860a ts0703128 100611 to ts0705125d 031115	scope:	-	version:	-	Trust: 0.6
vendor:	arris	model:	tg862a ts0703128 100611 to ts0705125d 031115	scope:	-	version:	-	Trust: 0.6
vendor:	arris	model:	tg862g ts0703128 100611 to ts0705125d 031115	scope:	-	version:	-	Trust: 0.6
vendor:	arris	model:	tg862g ts070593c 073013 na.	scope:	-	version:	-	Trust: 0.3
vendor:	arris	model:	tg862g ts0705125d 031115 na	scope:	-	version:	-	Trust: 0.3
vendor:	arris	model:	tg862g ts0705125 062314 na.	scope:	-	version:	-	Trust: 0.3
vendor:	arris	model:	tg862g ts0703135 112211 na.	scope:	-	version:	-	Trust: 0.3
vendor:	arris	model:	tg862g ts0703128 100611 na.	scope:	-	version:	-	Trust: 0.3
vendor:	arris	model:	tg862a ts070593c 073013 na.	scope:	-	version:	-	Trust: 0.3
vendor:	arris	model:	tg862a ts0705125d 031115 na	scope:	-	version:	-	Trust: 0.3
vendor:	arris	model:	tg862a ts0705125 062314 na.	scope:	-	version:	-	Trust: 0.3
vendor:	arris	model:	tg862a ts0703135 112211 na.	scope:	-	version:	-	Trust: 0.3
vendor:	arris	model:	tg862a ts0703128 100611 na.	scope:	-	version:	-	Trust: 0.3
vendor:	arris	model:	dg860a ts070593c 073013 na.	scope:	-	version:	-	Trust: 0.3
vendor:	arris	model:	dg860a ts0705125d 031115 na	scope:	-	version:	-	Trust: 0.3
vendor:	arris	model:	dg860a ts0705125 062314 na.	scope:	-	version:	-	Trust: 0.3
vendor:	arris	model:	dg860a ts0703135 112211 na.	scope:	-	version:	-	Trust: 0.3
vendor:	arris	model:	dg860a ts0703128 100611 na.	scope:	-	version:	-	Trust: 0.3

sources: CERT/CC: VU#419568 // CNVD: CNVD-2015-07833 // BID: 77674 // JVNDB: JVNDB-2015-006007 // CNNVD: CNNVD-201511-382 // NVD: CVE-2015-7289

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-7289
value:	HIGH
Trust: 1.0
NVD:	CVE-2015-7289
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2015-07833
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201511-382
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-85250
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2015-7289
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2015-07833
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-85250
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CNVD: CNVD-2015-07833 // VULHUB: VHN-85250 // JVNDB: JVNDB-2015-006007 // CNNVD: CNNVD-201511-382 // NVD: CVE-2015-7289

PROBLEMTYPE DATA

problemtype:	CWE-255	Trust: 1.9
problemtype:	CWE-Other	Trust: 0.8

sources: VULHUB: VHN-85250 // JVNDB: JVNDB-2015-006007 // NVD: CVE-2015-7289

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201511-382

TYPE

trust management

Trust: 0.6

sources: CNNVD: CNNVD-201511-382

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-006007

PATCH

title:	Top Page	url:	http://www.arris.com/	Trust: 0.8
title:	TG862G/CT	url:	http://arris.force.com/consumers/ConsumerProductDetail?p=a0ha000000GOZ3yAAH&c=Touchstone%20Modems%20and%20Gateways	Trust: 0.8
title:	Patches for multiple Arris device trust management vulnerabilities	url:	https://www.cnvd.org.cn/patchInfo/show/67321	Trust: 0.6

sources: CNVD: CNVD-2015-07833 // JVNDB: JVNDB-2015-006007

EXTERNAL IDS

db:	CERT/CC	id:	VU#419568	Trust: 4.2
db:	NVD	id:	CVE-2015-7289	Trust: 3.4
db:	EXPLOIT-DB	id:	29131	Trust: 0.8
db:	JVN	id:	JVNVU90662356	Trust: 0.8
db:	JVNDB	id:	JVNDB-2015-006007	Trust: 0.8
db:	CNNVD	id:	CNNVD-201511-382	Trust: 0.7
db:	CNVD	id:	CNVD-2015-07833	Trust: 0.6
db:	BID	id:	77674	Trust: 0.3
db:	VULHUB	id:	VHN-85250	Trust: 0.1

sources: CERT/CC: VU#419568 // CNVD: CNVD-2015-07833 // VULHUB: VHN-85250 // BID: 77674 // JVNDB: JVNDB-2015-006007 // CNNVD: CNNVD-201511-382 // NVD: CVE-2015-7289

REFERENCES

url:	http://www.kb.cert.org/vuls/id/419568	Trust: 3.4
url:	https://w00tsec.blogspot.com/2015/11/arris-cable-modem-has-backdoor-in.html	Trust: 0.8
url:	https://github.com/borfast/arrispwgen	Trust: 0.8
url:	https://www.shodan.io/search?query=arris+port%3a%2223%22	Trust: 0.8
url:	https://www.shodan.io/search?query=ssh-2.0-arris_0.50	Trust: 0.8
url:	https://www.shodan.io/search?query=net-dk	Trust: 0.8
url:	http://www.theregister.co.uk/2015/11/20/arris_modem_backdoor/	Trust: 0.8
url:	http://www.cert.br/docs/palestras/certbr-tcfirst2015.pdf	Trust: 0.8
url:	https://www.exploit-db.com/exploits/29131/	Trust: 0.8
url:	http://docsis.org/node/1575	Trust: 0.8
url:	http://cwe.mitre.org/data/definitions/255.html	Trust: 0.8
url:	http://cwe.mitre.org/data/definitions/259.html	Trust: 0.8
url:	http://cwe.mitre.org/data/definitions/80.html	Trust: 0.8
url:	http://cwe.mitre.org/data/definitions/352.html	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7289	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu90662356/index.html	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-7289	Trust: 0.8
url:	http://www.arrisi.com/	Trust: 0.3

sources: CERT/CC: VU#419568 // CNVD: CNVD-2015-07833 // VULHUB: VHN-85250 // BID: 77674 // JVNDB: JVNDB-2015-006007 // CNNVD: CNNVD-201511-382 // NVD: CVE-2015-7289

CREDITS

Bernardo Rodrigues

Trust: 0.3

sources: BID: 77674

SOURCES

db:	CERT/CC	id:	VU#419568
db:	CNVD	id:	CNVD-2015-07833
db:	VULHUB	id:	VHN-85250
db:	BID	id:	77674
db:	JVNDB	id:	JVNDB-2015-006007
db:	CNNVD	id:	CNNVD-201511-382
db:	NVD	id:	CVE-2015-7289

LAST UPDATE DATE

2024-11-23T22:13:22.321000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#419568	date:	2015-11-23T00:00:00
db:	CNVD	id:	CNVD-2015-07833	date:	2015-11-27T00:00:00
db:	VULHUB	id:	VHN-85250	date:	2015-11-23T00:00:00
db:	BID	id:	77674	date:	2015-11-20T00:00:00
db:	JVNDB	id:	JVNDB-2015-006007	date:	2015-11-24T00:00:00
db:	CNNVD	id:	CNNVD-201511-382	date:	2015-11-27T00:00:00
db:	NVD	id:	CVE-2015-7289	date:	2024-11-21T02:36:31.307

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#419568	date:	2015-11-20T00:00:00
db:	CNVD	id:	CNVD-2015-07833	date:	2015-11-27T00:00:00
db:	VULHUB	id:	VHN-85250	date:	2015-11-21T00:00:00
db:	BID	id:	77674	date:	2015-11-20T00:00:00
db:	JVNDB	id:	JVNDB-2015-006007	date:	2015-11-24T00:00:00
db:	CNNVD	id:	CNNVD-201511-382	date:	2015-11-23T00:00:00
db:	NVD	id:	CVE-2015-7289	date:	2015-11-21T11:59:16.620