Details of VAR-201511-0054

ID

VAR-201511-0054

CVE

CVE-2015-7290

TITLE

ARRIS cable modems generate passwords deterministically and contain XSS and CSRF vulnerabilities

Trust: 0.8

sources: CERT/CC: VU#419568

DESCRIPTION

Cross-site scripting (XSS) vulnerability in adv_pwd_cgi in the web management interface on Arris DG860A, TG862A, and TG862G devices with firmware TS0703128_100611 through TS0705125D_031115 allows remote attackers to inject arbitrary web script or HTML via the pwd parameter. Multiple models of ARRIS cable modems contain multiple, deterministically generated backdoor passwords, as well as multiple cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities. Arris DG860A, TG862A and TG862G are modem products of the American Arris Group. A cross-site scripting vulnerability 2. A cross-site request-forgery vulnerability 3. Multiple security-bypass vulnerabilities An attacker can exploit these issues to bypass security restrictions and perform unauthorized actions, execute attacker-supplied HTML or JavaScript code in the context of the affected site or to steal cookie-based authentication credentials. This may aid in further attacks. The following products and versions are affected: Arris DG860A, TG862A, TG862G using firmware versions TS0703128_100611 to TS0705125D_031115

Trust: 3.24

sources: NVD: CVE-2015-7290 // CERT/CC: VU#419568 // JVNDB: JVNDB-2015-006008 // CNVD: CNVD-2015-07831 // BID: 77674 // VULHUB: VHN-85251

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2015-07831

AFFECTED PRODUCTS

vendor:	arris	model:	na model 862 gw mono	scope:	eq	version:	ts0703135_112211	Trust: 1.6
vendor:	arris	model:	na model 862 gw mono	scope:	eq	version:	ts0705125d_031115	Trust: 1.6
vendor:	arris	model:	na model 862 gw mono	scope:	eq	version:	ts070593c_073013	Trust: 1.6
vendor:	arris	model:	na model 862 gw mono	scope:	eq	version:	ts0705125_062314	Trust: 1.6
vendor:	arris	model:	na model 862 gw mono	scope:	eq	version:	ts0703128_100611	Trust: 1.6
vendor:	arris	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	arris group	model:	dg860a	scope:	-	version:	-	Trust: 0.8
vendor:	arris group	model:	na.model 862.gw.mono	scope:	eq	version:	ts0703128_100611 to ts0705125d_031115	Trust: 0.8
vendor:	arris group	model:	tg862a	scope:	-	version:	-	Trust: 0.8
vendor:	arris group	model:	tg862g	scope:	-	version:	-	Trust: 0.8
vendor:	arris	model:	dg860a ts0703128 100611 to ts0705125d 031115	scope:	-	version:	-	Trust: 0.6
vendor:	arris	model:	tg862a ts0703128 100611 to ts0705125d 031115	scope:	-	version:	-	Trust: 0.6
vendor:	arris	model:	tg862g ts0703128 100611 to ts0705125d 031115	scope:	-	version:	-	Trust: 0.6
vendor:	arris	model:	tg862g ts070593c 073013 na.	scope:	-	version:	-	Trust: 0.3
vendor:	arris	model:	tg862g ts0705125d 031115 na	scope:	-	version:	-	Trust: 0.3
vendor:	arris	model:	tg862g ts0705125 062314 na.	scope:	-	version:	-	Trust: 0.3
vendor:	arris	model:	tg862g ts0703135 112211 na.	scope:	-	version:	-	Trust: 0.3
vendor:	arris	model:	tg862g ts0703128 100611 na.	scope:	-	version:	-	Trust: 0.3
vendor:	arris	model:	tg862a ts070593c 073013 na.	scope:	-	version:	-	Trust: 0.3
vendor:	arris	model:	tg862a ts0705125d 031115 na	scope:	-	version:	-	Trust: 0.3
vendor:	arris	model:	tg862a ts0705125 062314 na.	scope:	-	version:	-	Trust: 0.3
vendor:	arris	model:	tg862a ts0703135 112211 na.	scope:	-	version:	-	Trust: 0.3
vendor:	arris	model:	tg862a ts0703128 100611 na.	scope:	-	version:	-	Trust: 0.3
vendor:	arris	model:	dg860a ts070593c 073013 na.	scope:	-	version:	-	Trust: 0.3
vendor:	arris	model:	dg860a ts0705125d 031115 na	scope:	-	version:	-	Trust: 0.3
vendor:	arris	model:	dg860a ts0705125 062314 na.	scope:	-	version:	-	Trust: 0.3
vendor:	arris	model:	dg860a ts0703135 112211 na.	scope:	-	version:	-	Trust: 0.3
vendor:	arris	model:	dg860a ts0703128 100611 na.	scope:	-	version:	-	Trust: 0.3

sources: CERT/CC: VU#419568 // CNVD: CNVD-2015-07831 // BID: 77674 // JVNDB: JVNDB-2015-006008 // CNNVD: CNNVD-201511-383 // NVD: CVE-2015-7290

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-7290
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2015-7290
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2015-07831
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201511-383
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-85251
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2015-7290
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2015-07831
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-85251
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CNVD: CNVD-2015-07831 // VULHUB: VHN-85251 // JVNDB: JVNDB-2015-006008 // CNNVD: CNNVD-201511-383 // NVD: CVE-2015-7290

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.9
problemtype:	CWE-Other	Trust: 0.8

sources: VULHUB: VHN-85251 // JVNDB: JVNDB-2015-006008 // NVD: CVE-2015-7290

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201511-383

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201511-383

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-006008

PATCH

title:	Top Page	url:	http://www.arris.com/	Trust: 0.8
title:	TG862G/CT	url:	http://arris.force.com/consumers/ConsumerProductDetail?p=a0ha000000GOZ3yAAH&c=Touchstone%20Modems%20and%20Gateways	Trust: 0.8
title:	Patches for multiple Arris device cross-site scripting vulnerabilities	url:	https://www.cnvd.org.cn/patchInfo/show/67320	Trust: 0.6

sources: CNVD: CNVD-2015-07831 // JVNDB: JVNDB-2015-006008

EXTERNAL IDS

db:	CERT/CC	id:	VU#419568	Trust: 4.2
db:	NVD	id:	CVE-2015-7290	Trust: 3.4
db:	EXPLOIT-DB	id:	29131	Trust: 0.8
db:	JVN	id:	JVNVU90662356	Trust: 0.8
db:	JVNDB	id:	JVNDB-2015-006008	Trust: 0.8
db:	CNNVD	id:	CNNVD-201511-383	Trust: 0.7
db:	CNVD	id:	CNVD-2015-07831	Trust: 0.6
db:	BID	id:	77674	Trust: 0.3
db:	SEEBUG	id:	SSVID-89955	Trust: 0.1
db:	VULHUB	id:	VHN-85251	Trust: 0.1

sources: CERT/CC: VU#419568 // CNVD: CNVD-2015-07831 // VULHUB: VHN-85251 // BID: 77674 // JVNDB: JVNDB-2015-006008 // CNNVD: CNNVD-201511-383 // NVD: CVE-2015-7290

REFERENCES

url:	http://www.kb.cert.org/vuls/id/419568	Trust: 3.4
url:	https://w00tsec.blogspot.com/2015/11/arris-cable-modem-has-backdoor-in.html	Trust: 0.8
url:	https://github.com/borfast/arrispwgen	Trust: 0.8
url:	https://www.shodan.io/search?query=arris+port%3a%2223%22	Trust: 0.8
url:	https://www.shodan.io/search?query=ssh-2.0-arris_0.50	Trust: 0.8
url:	https://www.shodan.io/search?query=net-dk	Trust: 0.8
url:	http://www.theregister.co.uk/2015/11/20/arris_modem_backdoor/	Trust: 0.8
url:	http://www.cert.br/docs/palestras/certbr-tcfirst2015.pdf	Trust: 0.8
url:	https://www.exploit-db.com/exploits/29131/	Trust: 0.8
url:	http://docsis.org/node/1575	Trust: 0.8
url:	http://cwe.mitre.org/data/definitions/255.html	Trust: 0.8
url:	http://cwe.mitre.org/data/definitions/259.html	Trust: 0.8
url:	http://cwe.mitre.org/data/definitions/80.html	Trust: 0.8
url:	http://cwe.mitre.org/data/definitions/352.html	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7290	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu90662356/index.html	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-7290	Trust: 0.8
url:	http://www.arrisi.com/	Trust: 0.3

sources: CERT/CC: VU#419568 // CNVD: CNVD-2015-07831 // VULHUB: VHN-85251 // BID: 77674 // JVNDB: JVNDB-2015-006008 // CNNVD: CNNVD-201511-383 // NVD: CVE-2015-7290

CREDITS

Bernardo Rodrigues

Trust: 0.3

sources: BID: 77674

SOURCES

db:	CERT/CC	id:	VU#419568
db:	CNVD	id:	CNVD-2015-07831
db:	VULHUB	id:	VHN-85251
db:	BID	id:	77674
db:	JVNDB	id:	JVNDB-2015-006008
db:	CNNVD	id:	CNNVD-201511-383
db:	NVD	id:	CVE-2015-7290

LAST UPDATE DATE

2024-11-23T22:13:22.364000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#419568	date:	2015-11-23T00:00:00
db:	CNVD	id:	CNVD-2015-07831	date:	2015-11-27T00:00:00
db:	VULHUB	id:	VHN-85251	date:	2015-11-23T00:00:00
db:	BID	id:	77674	date:	2015-11-20T00:00:00
db:	JVNDB	id:	JVNDB-2015-006008	date:	2015-11-24T00:00:00
db:	CNNVD	id:	CNNVD-201511-383	date:	2015-11-23T00:00:00
db:	NVD	id:	CVE-2015-7290	date:	2024-11-21T02:36:31.413

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#419568	date:	2015-11-20T00:00:00
db:	CNVD	id:	CNVD-2015-07831	date:	2015-11-27T00:00:00
db:	VULHUB	id:	VHN-85251	date:	2015-11-21T00:00:00
db:	BID	id:	77674	date:	2015-11-20T00:00:00
db:	JVNDB	id:	JVNDB-2015-006008	date:	2015-11-24T00:00:00
db:	CNNVD	id:	CNNVD-201511-383	date:	2015-11-23T00:00:00
db:	NVD	id:	CVE-2015-7290	date:	2015-11-21T11:59:18.247