Marc Newlin

**Name of the Vulnerable Software and Affected Versions** Magic Keyboard versions prior to 2.0.6 **Description** A session management issue was addressed with improved checks. An attacker with physical access to the accessory may be able to extract its Bluetooth pairing key and monitor Bluetooth traffic. The issue is related to the management of user sessions and can be exploited to gain unauthorized access to Bluetooth traffic. **Recommendations** For Magic Keyboard versions prior to 2.0.6, update to Magic Keyboard Firmware Update 2.0.6 to fix the issue. As a temporary workaround, consider restricting physical access to the accessory to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Microsoft Bluetooth Driver (affected versions not specified) **Description** The issue is related to errors in the representation of information by the user interface in the Microsoft Bluetooth Driver. It allows a remote attacker to conduct spoofing attacks. The vulnerability can be exploited to pair a virtual Bluetooth keyboard without authentication or user confirmation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BlueZ versions prior to the fixed version Android versions prior to 11 Linux versions with vulnerable Bluetooth stacks macOS versions with vulnerable Bluetooth stacks iOS versions with vulnerable Bluetooth stacks **Description** A critical Bluetooth security flaw could be exploited by threat actors to take control of Android, Linux, macOS, and iOS devices. The issue relates to a case of authentication bypass that enables attackers to connect to susceptible devices and inject keystrokes to achieve code execution as the victim. This could lead to remote escalation of privilege with no additional execution privileges needed, and user interaction is not required for exploitation. The estimated number of potentially affected devices worldwide is not specified, but the flaw affects multiple operating systems, including Android, Linux, macOS, and iOS. **Recommendations** For BlueZ: Update to a version that includes the fix for the authentication bypass vulnerability. For Android versions prior to 11: No solution is available yet, consider disabling Bluetooth when not in use as a temporary workaround. For Linux versions with vulnerable Bluetooth stacks: Update to a version that includes the fix for the authentication bypass vulnerability. For macOS versions with vulnerable Bluetooth stacks: Update to a version that includes the fix for the authentication bypass vulnerability. For iOS versions with vulnerable Bluetooth stacks: Update to a version that includes the fix for the authentication bypass vulnerability, such as iOS and iPadOS 17.2.

**Name of the Vulnerable Software and Affected Versions** Logitech Unifying devices versions prior to 2016-02-26 **Description** The issue allows keystroke injection, bypassing encryption, and is also known as MouseJack. **Recommendations** For Logitech Unifying devices versions prior to 2016-02-26, update to a version released after 2016-02-26 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Cisco DPC3939 version dpc3939-P20-18-v303r20421733-160420a-CMCST Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST **Description** The issue allows remote attackers to discover hidden Home Security Wi-Fi networks. This is possible because the Comcast firmware on the devices sets the CM MAC address to a value with a two-byte offset from the MTA/VoIP MAC address, which is embedded into the DNS hostname. **Recommendations** For Cisco DPC3939 version dpc3939-P20-18-v303r20421733-160420a-CMCST, update the firmware to a version that does not embed the MTA/VoIP MAC address into the DNS hostname. For Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST, update the firmware to a version that does not embed the MTA/VoIP MAC address into the DNS hostname. As a temporary workaround, consider restricting access to the DNS hostname to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST **Description** The issue allows local users with command access to read arbitrary files via UPnP access to the `/var/IGD/` directory. This can be exploited by users who have gained command access as a result of previous exploitation. **Recommendations** For Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST, consider restricting access to the `/var/IGD/` directory to minimize the risk of exploitation. As a temporary workaround, disabling UPnP access until a patch is available can help mitigate the issue.

**Name of the Vulnerable Software and Affected Versions** Comcast firmware on Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST **Description** The issue allows remote attackers to gain unintended access to the Network Processor (NP) 169.254/16 IP network. This is achieved by adding a routing-table entry that specifies the LAN IP address as the router for that network. **Recommendations** For Comcast firmware on Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST, consider restricting access to the routing-table configuration to prevent unauthorized modifications until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Cisco DPC3939 version dpc3939-P20-18-v303r20421733-160420a-CMCST Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST **Description** The issue allows remote attackers to discover a CM MAC address by sniffing Wi-Fi traffic and performing simple arithmetic calculations. **Recommendations** For Cisco DPC3939 version dpc3939-P20-18-v303r20421733-160420a-CMCST, at the moment, there is no information about a newer version that contains a fix for this issue. For Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST **Description** The issue allows remote attackers to write arbitrary data to a known pathname, specifically /var/tmp/sess *, by leveraging the device's operation in UI dev mode. **Recommendations** For Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST, consider disabling the UI dev mode as a temporary workaround to minimize the risk of exploitation. Restrict access to the /var/tmp/sess * pathname to prevent arbitrary data writes until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST **Description** The issue allows remote attackers to compute password-of-the-day values. **Recommendations** For Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST Cisco DPC3941T version DPC3941 2.5s3 PROD sey **Description** The issue allows remote attackers to discover a WAN IPv6 IP address by leveraging knowledge of the CM MAC address. **Recommendations** For Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For Cisco DPC3941T version DPC3941 2.5s3 PROD sey, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST Cisco DPC3941T version DPC3941 2.5s3 PROD sey **Description** The issue allows remote attackers to access the web UI by establishing a session to the `wan0` WAN IPv6 address and then entering unspecified hardcoded credentials. This `wan0` interface cannot be accessed from the public Internet. **Recommendations** For Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST, consider restricting access to the `wan0` interface to minimize the risk of exploitation. For Cisco DPC3941T version DPC3941 2.5s3 PROD sey, consider restricting access to the `wan0` interface to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco DPC3939B version dpc3939b-v303r204217-150321a-CMCST **Description** The issue allows configuration changes via CSRF, which can be exploited to make unauthorized changes to the device settings. **Recommendations** For Cisco DPC3939B version dpc3939b-v303r204217-150321a-CMCST, as a temporary workaround, consider implementing CSRF protection measures, such as validating request tokens, to prevent unauthorized configuration changes. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Arris TG1682G devices with Comcast firmware, versions 10.0.132.SIP.PC20.CT, software version TG1682 2.2p7s2 PROD sey **Description** The issue allows configuration changes via CSRF, which can be exploited to make unauthorized changes to the device settings. **Recommendations** For Arris TG1682G devices with Comcast firmware, version 10.0.132.SIP.PC20.CT, software version TG1682 2.2p7s2 PROD sey, consider disabling web management access until a patch is available to prevent exploitation via CSRF.

**Name of the Vulnerable Software and Affected Versions** Cisco DPC3939 version dpc3939-P20-18-v303r20421733-160420a-CMCST Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST Cisco DPC3939B version dpc3939b-v303r204217-150321a-CMCST Cisco DPC3941T version DPC3941 2.5s3 PROD sey Arris TG1682G version 10.0.132.SIP.PC20.CT, software version TG1682 2.2p7s2 PROD sey **Description** The Comcast firmware on the affected devices does not set the secure flag for cookies in an https session to an administration application. This makes it easier for remote attackers to capture these cookies by intercepting their transmission within an http session. **Recommendations** For Cisco DPC3939 version dpc3939-P20-18-v303r20421733-160420a-CMCST, consider disabling access to the administration application until a patch is available. For Cisco DPC3939 version dpc3939-P20-18-v303r20421746-170221a-CMCST, consider disabling access to the administration application until a patch is available. For Cisco DPC3939B version dpc3939b-v303r204217-150321a-CMCST, consider disabling access to the administration application until a patch is available. For Cisco DPC3941T version DPC3941 2.5s3 PROD sey, consider disabling access to the administration application until a patch is available. For Arris TG1682G version 10.0.132.SIP.PC20.CT, software version TG1682 2.2p7s2 PROD sey, consider disabling access to the administration application until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Comcast firmware on Motorola MX011ANM version MX011AN 2.9p6s1 PROD sey **Description** The issue allows remote attackers to conduct successful forced-pairing attacks between an RF4CE remote and a set-top box by repeatedly transmitting the same pairing code. **Recommendations** For Comcast firmware on Motorola MX011ANM version MX011AN 2.9p6s1 PROD sey, consider restricting access to the pairing functionality to minimize the risk of exploitation until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Motorola MX011ANM firmware version MX011AN 2.9p6s1 PROD sey **Description** The issue allows remote attackers to enable a Remote Web Inspector that is accessible from the public Internet. **Recommendations** For Motorola MX011ANM firmware version MX011AN 2.9p6s1 PROD sey, as a temporary workaround, consider disabling the Remote Web Inspector feature until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Comcast firmware on Motorola MX011ANM version MX011AN 2.9p6s1 PROD sey **Description** The issue allows physically proximate attackers to read arbitrary files on the device. This can be achieved by pressing a specific sequence of buttons on an RF4CE remote to access the diagnostic display and then launching a Remote Web Inspector script. **Recommendations** For Comcast firmware on Motorola MX011ANM version MX011AN 2.9p6s1 PROD sey, consider restricting physical access to the device to minimize the risk of exploitation. As a temporary workaround, avoid using the Remote Web Inspector script until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Comcast firmware on Motorola MX011ANM version MX011AN 2.9p6s1 PROD sey **Description** The issue allows physically proximate attackers to access an SNMP server by connecting a cable to the Ethernet port and establishing communication with the device's link-local IPv6 address. **Recommendations** For Comcast firmware on Motorola MX011ANM version MX011AN 2.9p6s1 PROD sey, consider restricting physical access to the Ethernet port to minimize the risk of exploitation. As a temporary workaround, consider disabling the SNMP server until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Comcast firmware on Motorola MX011ANM version MX011AN 2.9p6s1 PROD sey **Description** The issue allows physically proximate attackers to execute arbitrary commands as root. This can be achieved by accessing the diagnostics menu on the set-top box and then posting to a Web Inspector route. **Recommendations** For Comcast firmware on Motorola MX011ANM version MX011AN 2.9p6s1 PROD sey, consider restricting physical access to the set-top box to minimize the risk of exploitation. As a temporary workaround, limit access to the diagnostics menu and Web Inspector routes until a patch is available.