The vulnerability can be exploited to inject arbitrary commands and execute arbitrary code with elevated privileges.
The vulnerability can be exploited to inject arbitrary commands and execute arbitrary code with elevated privileges.

Cisco, one of the leading manufacturers of networking equipment, announced yesterday that a significant remote code execution vulnerability exists in the web server used in several of its Wireless Residential Gateway products.

The vulnerability – CVE-2014-3306 – can be exploited by sending a crafted HTTP request to the affected device, enabling an attacker to crash the embedded web server and inject arbitrary commands and execute arbitrary code with elevated privileges, according to a Wednesday post.

The following devices are affected: DPC3212 and EPC3212 VoIP Cable Modem, DPC3825 and EPC3825 8x4 DOCSIS 3.0 Wireless Residential Gateway, DPC3010 and EPC3010 DOCSIS 3.0 8x4 Cable Modem, DPC3925 and EPC3925 8x4 DOCSIS 3.0 with Wireless Residential Gateway with EDVA, and DPQ3925 8x4 DOCSIS 3.0 Wireless Residential Gateway with EDVA.

“It's a high severity vulnerability,” Wolfgang Kandek, CTO of Qualys, told SCMagazine.com on Thursday, adding no authentication is necessary to exploit it. “I'm not sure how widely [the devices are] installed, but I would imagine there are millions in use.”

There are no workarounds for the vulnerability, meaning that users will have to download free software updates in order to address the issue, according to the post, which adds that the Cisco Product Security Incident Response Team is not aware of any abuse of the flaw.

The most likely use for the exploit would be to change DNS servers, enabling an attacker to surreptitiously control the advertisements that a user sees when browsing, Kandek said, adding the attacker could also make it so malware is delivered if a user clicks on the fraudulent advertisements.

“I think the attack is easy,” Kandek said. “Definitely update your equipment if you [own these devices].”