Scientific Atlanta DPC2100 Cable Modem Cross Site Request Forgery

`===============================================================  
Scientific Atlanta DPC2100 Cable Modem  
Cross-Site Request Forgery and Insufficient Authentication  
May 24, 2010  
CVE-2010-2025, CVE-2010-2026  
===============================================================  
  
==Description==  
  
Scientific Atlanta, a Cisco company (www.cisco.com), produces the WebSTAR line  
of cable modems, which are widely deployed by cable providers, especially for  
home usage. Certain versions of the firmware for the DPC2100 model feature a  
web interface that is vulnerable to the following issues. Testing was  
performed on a DPC2100R2 modem, with firmware v2.0.2r1256-060303. Other  
WebSTAR modems and firmware versions may be vulnerable as well.  
  
1. Cross-site request forgery (CSRF). Several features provided by the web  
interface fail to properly establish sessions that restrict access to  
authorized users, including forms for changing the administrative password,  
resetting the modem, and installing new firmware. An attacker may create a  
malicious website that, when visited by a victim, updates these settings on the  
victim's modem on the victim's behalf without their authorization or need for  
any additional user interaction. This can be used to deny service by resetting  
the modem or wiping the firmware, to change the default administrative  
password, or potentially to steal information from the victim by installing  
malicious firmware. This issue has been assigned CVE-2010-2025.  
  
2. Insufficient authentication. The modem's access control scheme, which has  
levels numbered from 0-2 (or 0-3 on some other models), is not properly checked  
before performing operations that should require authentication, including  
resetting the modem and installing new firmware. The modem requires the proper  
access level to access web interface pages containing forms that allow a user  
to perform these actions, but does not properly authenticate the pages that  
actually carry out these actions. By sending a POST request directly to these  
pages, these actions may be performed without any authentication. Attacks may  
be performed by an attacker on the local network or by leveraging the CSRF  
vulnerability. This issue has been assigned CVE-2010-2026.  
  
==Identifying Vulnerable Installations==  
  
Most home installations of this modem will feature a web interface that is  
accessible at "http://192.168.100.1". The following proof-of-concept code may  
be used to test for vulnerability. It leverages the CSRF vulnerability to  
change the access level of your modem to the most restrictive settings (a  
harmless action). If your modem is vulnerable, then you will be presented with  
a message stating that your settings have been successfully updated. If you  
are greeted with a page stating there was a "Password confirmation error", then  
your modem password has been changed from the default but you are still  
vulnerable. If you are greeted with an HTTP authentication form or other  
message, then your model is not vulnerable.  
  
<html>  
<head>  
<title>Test for CSRF vulnerability in WebSTAR modems</title>  
</head>  
  
<body>  
  
<form name="csrf" method="post" action="http://192.168.100.1/goform/_aslvl">  
<input type="hidden" name="SAAccessLevel" value="0">  
<input type="hidden" name="SAPassword" value="W2402">  
</form>  
  
<script>document.csrf.submit()</script>  
  
</body>  
</html>  
  
==Solution==  
  
In most cases, home users will be unable to update vulnerable firmware without  
assistance from their cable providers. If your firmware is vulnerable, contact  
your cable provider and request a firmware update to the latest version. For  
the DPC2100R2 modems, the latest version string is  
dpc2100R2-v202r1256-100324as.  
  
To prevent exploitation of CSRF vulnerabilities, users are always encouraged  
to practice safe browsing habits and avoid visiting unknown or untrusted  
websites.  
  
==Credits==  
  
These vulnerabilities were discovered by Dan Rosenberg  
([email protected]).  
  
Thanks to Matthew Bergin for suggesting I should look at cable modems.  
  
==Timeline==  
  
1/26/10 - Vulnerability reported to Cisco  
1/26/10 - Response, issue assigned internal tracking number  
2/26/10 - Status update requested  
2/26/10 - Response  
5/15/10 - Status update requested  
5/17/10 - Response, confirmation that newest firmware resolves issues  
5/17/10 - Disclosure date set  
5/24/10 - Disclosure  
  
==References==  
  
CVE identifiers CVE-2010-2025 and CVE-2010-2026 have been assigned to these  
issues.  
`