copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2014.1179 - ALERT [Cisco] Cisco Wireless Residential Gateway: Execute arbitrary code/commands - Remote/unauthenticated

Date: 17 July 2014

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.1179
  Cisco Wireless Residential Gateway Remote Code Execution Vulnerability
                               17 July 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Wireless Residential Gateway
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-3306  

Original Bulletin: 
   http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ciscosa-20140716-cm

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Wireless Residential Gateway Remote Code Execution Vulnerability

Advisory ID: ciscosa-20140716-cm


Revision 1.0

For Public Release 2014 July 16 16:00  UTC (GMT)

Summary

A vulnerability in the web server used in multiple Cisco Wireless Residential Gateway products could allow an unauthenticated, remote attacker to exploit a buffer overflow and cause arbitrary code execution.

The vulnerability is due to incorrect input validation for HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. 

Cisco has released free software updates that address this vulnerability. 
Workarounds that mitigate this vulnerability are not available.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ciscosa-20140716-cm

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJTxquLAAoJEIpI1I6i1Mx3NsAQAMEQrCJ4WGFgJDM4zxqJgPB4
7uKI6BBpT2epClN6bMMx9Udf0EUDG0mOFJqH/rpMur9JqHuG8QJqXoHlMxYkM18T
7mRmlAH9ZWoJ0QZXtytOQRIXaPhPOG0SRoldMpRQJdJdWCuSWvpxd0vJbOZJWjYZ
imiA9z3sHuS5BkXecV1DOq5qzN711BY6j4yRrpxPotIRhqYE0oOgu6NfrKy9M1gp
dfI4R0/+hGzr8in+y3A5w3fFRfB8esT1LJ7hhhe6EPs8F7TjE7QClKt+A3uvhA1w
epQRsOogtkn4bRObfF5qZBFOqvyrnEwDfsv6qBzQO9OKEmsTNhPsBHfQ6HbEbEy7
49eAW8ZQY5l0nU+72FVmS7MwEAl3SReLaT1S7PSXaeysoMfns7KXqlgKuFkBUeNn
oujIPt6LUSuMElFGLhFqnBw0kt4viyMgoFx/3pbRi+dU6SsBlECz347kH9GTx46v
THhlYZuOnoCbotTXiNQGMuE031SstE+Oh6cK86/fWyvJvSZIjk7DssP8m2FiP9qe
TJNokIPWMWKooO823W4IKT4ASnY+SQMf0EOgxH4GmqjoCYNdCscjQSqsUiKrBUzp
8BYvKCKueuDNw35iLNXfFiiFKOBUhYN7znFKlgGN6GnnXBcZuOr4NntbKOlAHVIm
wkYouXj/TdqIfPDndRfJ
=NUhW
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU8cbeBLndAQH1ShLAQKPQQ//Z05QbhGTCjN5ibpuTaFtk0EOanSq1Kna
w5MdCLTRSa1YCmFHQsS6b9yzSXGzNM3e3QCbTzVBDfgwiqwRC4CnJZWGu0PsTVko
KCHgAfts95Jq3GayYrtKIxo4kBTVy67mkNaEmqlWsLwLPJ3MKzeSLe+dYFIyB4++
7zw68KCbGreDkSg+2kSNHBWejfzmTYqdOYQ90lrUlDipH+DQipeurnUfm62DFwnH
/TFPxzwjS9sZvY5xYIR2MzFj6URRQT1BZPWv54zRO+ytY9N9DVmSVeZR6bisRSq7
/Orm1vTr+IDzIuaCfh+LsS3r+7ZQiXN41eHoiG5pPMM64+awYVp7u8GHLfDmLWIR
hQ2yuufOo4pma+1SCDf4WImhoz86uuWm8tlCpu4cma1Hkk7X+i5Szjz/AoIaHnMA
I4MtQtJL0MxstlIK2HINkQGBJAgRi0XlPKraykhOHTs5hYFUPwXOy3xzu+Ce2jGw
AuPI7FlK/pbN/whG7W9JJf6CAxFKwHiUGVQ1vYiNkfGzwOVk6nTe38nhwJ62TiMA
M2AedpQJQSuJVtTEK5dIo3XK5a0sc9bynBGRBoRRzEC5Vg4sf8FOMbE2YTj6p4Z/
FjSUI8h/03tZHkhfCjSakHAGwQsiyZOcEa2hBcRW9weF5Br21meeaHY0fSLbpnqk
h+xeuywWNlg=
=LbVG
-----END PGP SIGNATURE-----