Cisco in a Security Advisory issued today said, the vulnerability is due to incorrect input validation for HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. Successful exploitation could allow the attacker to crash the web server and execute arbitrary code with elevated privileges.
This vulnerability exists in both of the operating mode of the device, whether the device is configured in Router mode or Gateway mode. Currently no Workarounds are available that would mitigate this vulnerability, Cisco said. Cisco has released a free software update to its service provider customers that address the vulnerability, advising the customers to contact their service provider to confirm the software provided by the service provider carries the fix.
The Cisco products affected to this vulnerability are listed below:
- Cisco DPC3212 VoIP Cable Modem
- Cisco DPC3825 8×4 DOCSIS 3.0 Wireless Residential Gateway
- Cisco EPC3212 VoIP Cable Modem
- Cisco EPC3825 8×4 DOCSIS 3.0 Wireless Residential Gateway
- Cisco Model DPC3010 DOCSIS 3.0 8×4 Cable Modem
- Cisco Model DPC3925 8×4 DOCSIS 3.0 with Wireless Residential Gateway with EDVA
- Cisco Model DPQ3925 8×4 DOCSIS 3.0 Wireless Residential Gateway with EDVA
- Cisco Model EPC3010 DOCSIS 3.0 Cable Modem
- Cisco Model EPC3925 8×4 DOCSIS 3.0 with Wireless Residential Gateway with EDVA