New Cisco Vulnerability – My Personal Journey

cisco vulnerabilityYesterday, Cisco announced that nine of their home networking products had a critical security vulnerability that needs to be fixed. The problem stems from a buffer overflow that allows incorrect validation of HTTP requests, and will allow a hacker to run arbitrary code on your device. This new Cisco vulnerability was officially disclosed by Cisco as well as US-CERT (the US Computer Emergency Readiness Team). This problem was rated as a 10 out of 10 on the Common Vulnerability Scoring System (CVSS), meaning that it’s a really really nasty problem that can completely compromise the integrity and availability of your home network.

The affected Cisco devices include:

  • Cisco DPC3212 VoIP Cable Modem
  • Cisco DPC3825 8×4 DOCSIS 3.0 Wireless Residential Gateway
  • Cisco EPC3212 VoIP Cable Modem
  • Cisco EPC3825 8×4 DOCSIS 3.0 Wireless Residential Gateway
  • Cisco Model DPC3010 DOCSIS 3.0 8×4 Cable Modem
  • Cisco Model DPC3925 8×4 DOCSIS 3.0 with Wireless Residential Gateway with EDVA
  • Cisco Model DPQ3925 8×4 DOCSIS 3.0 Wireless Residential Gateway with EDVA
  • Cisco Model EPC3010 DOCSIS 3.0 Cable Modem
  • Cisco Model EPC3925 8×4 DOCSIS 3.0 with Wireless Residential Gateway with EDV

Cisco has made a patch available that fixes this critical problem and suggests that everyone with one of the affected devices upgrade their firmware. Unfortunately, Cisco also says this:

Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action. 

This probably affects most users of these devices since they’re typically used by ISP subscribers who get them from their ISPs. This means that people are at the mercy of their ISP to receive this fix.

My Personal Journey With This Cisco Vulnerability

It just so happens that I have one of the affected devices – a DPC3825  that I received as a Rogers Hi-Speed Internet customer in Canada. I was never too impressed with the device and simply use it as a modem now – there’s a much better router that sits between it and the rest of my home network. The thing that I liked the least about the modem (and the issue that made me really want something between it and me) was that it had a non-configurable userid/password for Rogers technicians to get into it. This userid/password was searchable on the internet (just look up rogcesadmin) meaning anyone could get administrator access to my modem and there was nothing I could do about it.

Anyway, I realized that this vulnerability was bad enough that I really did have to update the firmware. As Cisco advised, I’d need to go through Rogers to do this. I really had no choice because the gateway does not have any way for users to upgrade the firmware themselves as most routers have – the only choice for upgrade was through the ISP – Rogers.

I phoned Rogers technical support and realized that I had an uphill battle to try to get to anyone who would understood the issues. The lady I spoke with listened attentively as I described the situation and she really seemed to want to help me with the problem. I asked her if she knew of anyone at Rogers who knew about the problem, and if they were going to fix it. She said she didn’t know about any new problems, but was aware that a firmware update was made sometime in March when all of the hacking was going on. I’m not really sure what she was referring to, but I do know that my firmware WAS updated a few months ago, and the rogcesadmin login seems to be gone now. Maybe too many people had their routers hacked.

At this point, I thought I’d be a good citizen and point her to the vulnerability disclosure documents so she could see for herself and bring it to the attention of her superiors. Cisco and US-CERT are highly reliable sources, so they’d have to understand. I slowly told her what to search for on Google: “Cisco Wireless Residential Gateway Remote Code Execution Vulnerability”. Nope, she said that the system that she was using would allow her to use Google, but for some reason this was being blocked. I suggested a few others searches – all blocked.

All of this was rather frustrating and I saw that I was going nowhere. Then out of the blue she suggested that maybe I should speak with someone from the Tier 2 support team. Yes! Tier 2! They’ll understand what I’m talking about. She put me on hold as she went to set up the connection.

Five minutes later she comes back with the bad news. According to Tier 2 support, if I didn’t receive an official announcement directly from Rogers, it probably isn’t true. That’s right, if it isn’t from Rogers, “don’t believe what you read”. And yes, there are quotes on that because it is a direct quote from the Tier 2 team. And yes, it’s hard to be a good citizen and I gave up.

Where We Stand Now

I know loads of people on Rogers Internet as it’s such a large company in Canada. Most of them I know have routers just like mine, and they’re all ripe for a nice Hack of Mass Destruction. I was proactive in learning about my equipment. I was proactive in following Cisco’s instructions for trying to get my device upgraded as per their suggestion.

So why was this so difficult to fix and why did the system fail? I believe that the answer to that question is the same answer to the much bigger question of why is this website and RouterCheck necessary in the first place. Things don’t work and no one cares. Where will it end?