|
|
==============================================================Scientific Atlanta DPC2100 Cable Modem
Cross-Site Request Forgery and Insufficient Authentication
May 24, 2010
CVE-2010-2025, CVE-2010-2026
==============================================================
==Description=
Scientific Atlanta, a Cisco company (www.cisco.com), produces the WebSTAR line
of cable modems, which are widely deployed by cable providers, especially for
home usage. =A0Certain versions of the firmware for the DPC2100 model feature a
web interface that is vulnerable to the following issues. =A0Testing was
performed on a DPC2100R2 modem, with firmware v2.0.2r1256-060303. =A0Other
WebSTAR modems and firmware versions may be vulnerable as well.
1. Cross-site request forgery (CSRF). =A0Several features provided by the web
interface fail to properly establish sessions that restrict access to
authorized users, including forms for changing the administrative password,
resetting the modem, and installing new firmware. =A0An attacker may create a
malicious website that, when visited by a victim, updates these settings on the
victim's modem on the victim's behalf without their authorization or need for
any additional user interaction. =A0This can be used to deny service by resetting
the modem or wiping the firmware, to change the default administrative
password, or potentially to steal information from the victim by installing
malicious firmware. =A0This issue has been assigned CVE-2010-2025.
2. Insufficient authentication. The modem's access control scheme, which has
levels numbered from 0-2 (or 0-3 on some other models), is not properly checked
before performing operations that should require authentication, including
resetting the modem and installing new firmware. The modem requires the proper
access level to access web interface pages containing forms that allow a user
to perform these actions, but does not properly authenticate the pages that
actually carry out these actions. By sending a POST request directly to these
pages, these actions may be performed without any authentication. Attacks may
be performed by an attacker on the local network or by leveraging the CSRF
vulnerability. This issue has been assigned CVE-2010-2026.
==Identifying Vulnerable Installations=
Most home installations of this modem will feature a web interface that is
accessible at "http://192.168.100.1". =A0The following proof-of-concept code may
be used to test for vulnerability. =A0It leverages the CSRF vulnerability to
change the access level of your modem to the most restrictive settings (a
harmless action). =A0If your modem is vulnerable, then you will be presented with
a message stating that your settings have been successfully updated. =A0If you
are greeted with a page stating there was a "Password confirmation error", then
your modem password has been changed from the default but you are still
vulnerable. =A0If you are greeted with an HTTP authentication form or other
message, then your model is not vulnerable.