Matthew Jakubowski

**Name of the Vulnerable Software and Affected Versions** SMC SMCD3G-CCR versions prior to 1.4.0.49.2 **Description** The issue allows remote attackers to gain administrative access due to a default password for the `mso` account. This default password is 'D0nt4g3tme'. Attackers can exploit this via the web interface or TELNET interface. **Recommendations** For versions prior to 1.4.0.49.2, update the firmware to version 1.4.0.49.2 or later to change the default password for the `mso` account. As a temporary workaround, consider changing the default password for the `mso` account to a strong, unique password until the firmware can be updated.

**Name of the Vulnerable Software and Affected Versions** SMC SMCD3G-CCR (aka Comcast Business Gateway) versions prior to 1.4.0.49.2 **Description** The issue concerns multiple cross-site request forgery (CSRF) vulnerabilities in the web interface. These vulnerabilities allow remote attackers to hijack the intranet connectivity of arbitrary users for requests that perform a login via "goform/login". Additionally, attackers can hijack the authentication of administrators for requests that enable external logins via an "mso remote enable" action to "goform/RemoteRange" or change DNS settings via a "manual dns enable" action to "goform/Basic". **Recommendations** For versions prior to 1.4.0.49.2, update the firmware to version 1.4.0.49.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the web interface and avoiding the use of the vulnerable `goform/login`, `goform/RemoteRange`, and `goform/Basic` endpoints until the update is applied.

**Name of the Vulnerable Software and Affected Versions** SMC SMCD3G-CCR (aka Comcast Business Gateway) versions prior to 1.4.0.49.2 **Description** The issue concerns the web management portal of the affected device, which uses predictable session IDs based on time values. This predictability makes it easier for remote attackers to hijack sessions via a brute-force attack on the `userid` cookie. **Recommendations** For versions prior to 1.4.0.49.2, update the firmware to version 1.4.0.49.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the web management portal to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** iSpot versions 2.0.0.0 R1679 ClearSpot versions 2.0.0.0 R1512 through 2.0.0.0 R1786 with firmware 1.9.9.4 **Description** The issue allows remote attackers to hijack the authentication of administrators for various requests, including executing arbitrary commands, enabling remote management, enabling the TELNET service, enabling TELNET sessions, and reading arbitrary files. This can be achieved through multiple cross-site request forgery (CSRF) vulnerabilities. Specifically, the vulnerabilities exist in the following API endpoints and parameters: "webmain.cgi" with the `cmd` parameter in an "act cmd result" action, "webmain.cgi" with an "enable remote access" "act network set" action, "webmain.cgi" with an "ENABLE TELNET" "act set wimax etc config" action, "webmain.cgi" with a certain "act network set" action, and "upgrademain.cgi" with the `FILE PATH` parameter in an "act file download" action. **Recommendations** For iSpot version 2.0.0.0 R1679, consider disabling the `cmd` parameter in the "act cmd result" action to "webmain.cgi" and restrict access to the "enable remote access" and "ENABLE TELNET" actions until a patch is available. For ClearSpot versions 2.0.0.0 R1512 through 2.0.0.0 R1786 with firmware 1.9.9.4, restrict access to the "act network set" action and the `FILE PATH` parameter in the "act file download" action to "upgrademain.cgi" until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.