CVE-2017-9491

Name of the Vulnerable Software and Affected Versions Cisco DPC3939 version dpc3939-P20-18-v303r20421733-160420a-CMCST Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST Cisco DPC3939B version dpc3939b-v303r204217-150321a-CMCST Cisco DPC3941T version DPC3941 2.5s3 PROD sey Arris TG1682G version 10.0.132.SIP.PC20.CT, software version TG1682 2.2p7s2 PROD sey

Description The Comcast firmware on the affected devices does not set the secure flag for cookies in an https session to an administration application. This makes it easier for remote attackers to capture these cookies by intercepting their transmission within an http session.

Recommendations For Cisco DPC3939 version dpc3939-P20-18-v303r20421733-160420a-CMCST, consider disabling access to the administration application until a patch is available. For Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST, consider disabling access to the administration application until a patch is available. For Cisco DPC3939B version dpc3939b-v303r204217-150321a-CMCST, consider disabling access to the administration application until a patch is available. For Cisco DPC3941T version DPC3941 2.5s3 PROD sey, consider disabling access to the administration application until a patch is available. For Arris TG1682G version 10.0.132.SIP.PC20.CT, software version TG1682 2.2p7s2 PROD sey, consider disabling access to the administration application until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.