Chris Grayson

**Name of the Vulnerable Software and Affected Versions** Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST **Description** The issue allows remote attackers to execute arbitrary commands as root by leveraging local network access and connecting to the `syseventd` server. This can be achieved by copying configuration data into a readable filesystem, thus enabling the execution of shell commands with root privileges. **Recommendations** For Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST, consider restricting access to the `syseventd` server as a temporary workaround until a patch is available. Additionally, limiting local network access can help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco DPC3939 version dpc3939-P20-18-v303r20421733-160420a-CMCST Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST Arris TG1682G (eMTA&DOCSIS version 10.0.132.SIP.PC20.CT, software version TG1682 2.2p7s2 PROD sey) **Description** The issue allows remote attackers to easily determine the hidden SSID and passphrase for a Home Security Wi-Fi network. This is due to a problem in the Comcast firmware on the affected devices. **Recommendations** For Cisco DPC3939 version dpc3939-P20-18-v303r20421733-160420a-CMCST, update the firmware to a version that is not affected by this issue. For Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST, update the firmware to a version that is not affected by this issue. For Arris TG1682G (eMTA&DOCSIS version 10.0.132.SIP.PC20.CT, software version TG1682 2.2p7s2 PROD sey), update the firmware to a version that is not affected by this issue. As a temporary workaround, consider changing the Wi-Fi network settings to use a different security method until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco DPC3939 version dpc3939-P20-18-v303r20421733-160420a-CMCST Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST **Description** The issue allows remote attackers to discover the CM MAC address by connecting to the device's xfinitywifi hotspot. **Recommendations** For Cisco DPC3939 version dpc3939-P20-18-v303r20421733-160420a-CMCST, consider disabling the xfinitywifi hotspot until a patch is available. For Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST, consider disabling the xfinitywifi hotspot until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Cisco DPC3939 version dpc3939-P20-18-v303r20421733-160420a-CMCST Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST **Description** The issue allows remote attackers to discover hidden Home Security Wi-Fi networks. This is possible because the Comcast firmware on the devices sets the CM MAC address to a value with a two-byte offset from the MTA/VoIP MAC address, which is embedded into the DNS hostname. **Recommendations** For Cisco DPC3939 version dpc3939-P20-18-v303r20421733-160420a-CMCST, update the firmware to a version that does not embed the MTA/VoIP MAC address into the DNS hostname. For Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST, update the firmware to a version that does not embed the MTA/VoIP MAC address into the DNS hostname. As a temporary workaround, consider restricting access to the DNS hostname to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST **Description** The issue allows local users with command access to read arbitrary files via UPnP access to the `/var/IGD/` directory. This can be exploited by users who have gained command access as a result of previous exploitation. **Recommendations** For Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST, consider restricting access to the `/var/IGD/` directory to minimize the risk of exploitation. As a temporary workaround, disabling UPnP access until a patch is available can help mitigate the issue.

**Name of the Vulnerable Software and Affected Versions** Comcast firmware on Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST **Description** The issue allows remote attackers to gain unintended access to the Network Processor (NP) 169.254/16 IP network. This is achieved by adding a routing-table entry that specifies the LAN IP address as the router for that network. **Recommendations** For Comcast firmware on Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST, consider restricting access to the routing-table configuration to prevent unauthorized modifications until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Cisco DPC3939 version dpc3939-P20-18-v303r20421733-160420a-CMCST Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST **Description** The issue allows remote attackers to discover a CM MAC address by sniffing Wi-Fi traffic and performing simple arithmetic calculations. **Recommendations** For Cisco DPC3939 version dpc3939-P20-18-v303r20421733-160420a-CMCST, at the moment, there is no information about a newer version that contains a fix for this issue. For Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST **Description** The issue allows remote attackers to write arbitrary data to a known pathname, specifically /var/tmp/sess *, by leveraging the device's operation in UI dev mode. **Recommendations** For Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST, consider disabling the UI dev mode as a temporary workaround to minimize the risk of exploitation. Restrict access to the /var/tmp/sess * pathname to prevent arbitrary data writes until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST **Description** The issue allows remote attackers to compute password-of-the-day values. **Recommendations** For Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST Cisco DPC3941T version DPC3941 2.5s3 PROD sey **Description** The issue allows remote attackers to discover a WAN IPv6 IP address by leveraging knowledge of the CM MAC address. **Recommendations** For Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For Cisco DPC3941T version DPC3941 2.5s3 PROD sey, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST Cisco DPC3941T version DPC3941 2.5s3 PROD sey **Description** The issue allows remote attackers to access the web UI by establishing a session to the `wan0` WAN IPv6 address and then entering unspecified hardcoded credentials. This `wan0` interface cannot be accessed from the public Internet. **Recommendations** For Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST, consider restricting access to the `wan0` interface to minimize the risk of exploitation. For Cisco DPC3941T version DPC3941 2.5s3 PROD sey, consider restricting access to the `wan0` interface to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco DPC3939B version dpc3939b-v303r204217-150321a-CMCST **Description** The issue allows configuration changes via CSRF, which can be exploited to make unauthorized changes to the device settings. **Recommendations** For Cisco DPC3939B version dpc3939b-v303r204217-150321a-CMCST, as a temporary workaround, consider implementing CSRF protection measures, such as validating request tokens, to prevent unauthorized configuration changes. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Arris TG1682G devices with Comcast firmware, versions 10.0.132.SIP.PC20.CT, software version TG1682 2.2p7s2 PROD sey **Description** The issue allows configuration changes via CSRF, which can be exploited to make unauthorized changes to the device settings. **Recommendations** For Arris TG1682G devices with Comcast firmware, version 10.0.132.SIP.PC20.CT, software version TG1682 2.2p7s2 PROD sey, consider disabling web management access until a patch is available to prevent exploitation via CSRF.

**Name of the Vulnerable Software and Affected Versions** Cisco DPC3939 version dpc3939-P20-18-v303r20421733-160420a-CMCST Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST Cisco DPC3939B version dpc3939b-v303r204217-150321a-CMCST Cisco DPC3941T version DPC3941 2.5s3 PROD sey Arris TG1682G version 10.0.132.SIP.PC20.CT, software version TG1682 2.2p7s2 PROD sey **Description** The Comcast firmware on the affected devices does not set the secure flag for cookies in an https session to an administration application. This makes it easier for remote attackers to capture these cookies by intercepting their transmission within an http session. **Recommendations** For Cisco DPC3939 version dpc3939-P20-18-v303r20421733-160420a-CMCST, consider disabling access to the administration application until a patch is available. For Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST, consider disabling access to the administration application until a patch is available. For Cisco DPC3939B version dpc3939b-v303r204217-150321a-CMCST, consider disabling access to the administration application until a patch is available. For Cisco DPC3941T version DPC3941 2.5s3 PROD sey, consider disabling access to the administration application until a patch is available. For Arris TG1682G version 10.0.132.SIP.PC20.CT, software version TG1682 2.2p7s2 PROD sey, consider disabling access to the administration application until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco DPC3939 versions dpc3939-P20-18-v303r20421733-160420a-CMCST through dpc3939-P20-18-v303r20421746-170221a-CMCST Cisco DPC3939B version dpc3939b-v303r204217-150321a-CMCST Cisco DPC3941T version DPC3941 2.5s3 PROD sey Arris TG1682G version 10.0.132.SIP.PC20.CT, software version TG1682 2.2p7s2 PROD sey **Description** The issue concerns the absence of the HTTPOnly flag in a Set-Cookie header for administration applications. This omission makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies. **Recommendations** For Cisco DPC3939 versions dpc3939-P20-18-v303r20421733-160420a-CMCST through dpc3939-P20-18-v303r20421746-170221a-CMCST, consider configuring the administration application to include the HTTPOnly flag in the Set-Cookie header. For Cisco DPC3939B version dpc3939b-v303r204217-150321a-CMCST, consider configuring the administration application to include the HTTPOnly flag in the Set-Cookie header. For Cisco DPC3941T version DPC3941 2.5s3 PROD sey, consider configuring the administration application to include the HTTPOnly flag in the Set-Cookie header. For Arris TG1682G version 10.0.132.SIP.PC20.CT, software version TG1682 2.2p7s2 PROD sey, consider configuring the administration application to include the HTTPOnly flag in the Set-Cookie header.

**Name of the Vulnerable Software and Affected Versions** Comcast firmware on Motorola MX011ANM version MX011AN 2.9p6s1 PROD sey **Description** The issue allows remote attackers to conduct successful forced-pairing attacks between an RF4CE remote and a set-top box by repeatedly transmitting the same pairing code. **Recommendations** For Comcast firmware on Motorola MX011ANM version MX011AN 2.9p6s1 PROD sey, consider restricting access to the pairing functionality to minimize the risk of exploitation until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Motorola MX011ANM firmware version MX011AN 2.9p6s1 PROD sey **Description** The issue allows remote attackers to enable a Remote Web Inspector that is accessible from the public Internet. **Recommendations** For Motorola MX011ANM firmware version MX011AN 2.9p6s1 PROD sey, as a temporary workaround, consider disabling the Remote Web Inspector feature until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Comcast firmware on Motorola MX011ANM version MX011AN 2.9p6s1 PROD sey **Description** The issue allows physically proximate attackers to read arbitrary files on the device. This can be achieved by pressing a specific sequence of buttons on an RF4CE remote to access the diagnostic display and then launching a Remote Web Inspector script. **Recommendations** For Comcast firmware on Motorola MX011ANM version MX011AN 2.9p6s1 PROD sey, consider restricting physical access to the device to minimize the risk of exploitation. As a temporary workaround, avoid using the Remote Web Inspector script until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Comcast firmware on Motorola MX011ANM version MX011AN 2.9p6s1 PROD sey **Description** The issue allows physically proximate attackers to access an SNMP server by connecting a cable to the Ethernet port and establishing communication with the device's link-local IPv6 address. **Recommendations** For Comcast firmware on Motorola MX011ANM version MX011AN 2.9p6s1 PROD sey, consider restricting physical access to the Ethernet port to minimize the risk of exploitation. As a temporary workaround, consider disabling the SNMP server until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Comcast firmware on Motorola MX011ANM version MX011AN 2.9p6s1 PROD sey **Description** The issue allows physically proximate attackers to execute arbitrary commands as root. This can be achieved by accessing the diagnostics menu on the set-top box and then posting to a Web Inspector route. **Recommendations** For Comcast firmware on Motorola MX011ANM version MX011AN 2.9p6s1 PROD sey, consider restricting physical access to the set-top box to minimize the risk of exploitation. As a temporary workaround, limit access to the diagnostics menu and Web Inspector routes until a patch is available.