CVE-2023-27572 - Reflected XSS Vulnerability in CommScope Arris DG345 Cable Gateway (AR01.02.056.18_041520_711.NCS.10)

---

Overview

A reflected Cross-Site Scripting (XSS) vulnerability (CVE-2023-27572) has been discovered in CommScope Arris DG345 Cable Gateway, specifically version AR01.02.056.18_041520_711.NCS.10. The flaw resides in the https_redirect.php web page due to improper validation of the page parameter. This vulnerability could allow attackers to execute malicious scripts within the context of a user’s browser, leading to possible session hijacking, credential theft, or other malicious actions.

This article covers the technical details, a simple exploit example, and references to the original disclosure.

What is CVE-2023-27572?

CVE-2023-27572 is an identifier given to a reflected XSS issue within CommScope Arris DG345’s firmware, where user-controlled input (page parameter) is not sufficiently sanitized before being reflected back to the browser.

Understanding the Vulnerability

A reflected XSS means that user-supplied data in the URL or form is immediately returned (reflected) as part of the webpage response. If this data isn’t sanitized, attackers can inject JavaScript that will execute in the browser of anyone following a crafted link.

For example, an attacker can send a crafted URL to a victim and, if they click, the victim’s browser will unintentionally run the attacker's code.

In this case, the vulnerable piece is the page parameter in https_redirect.php.

Let's see a typical HTTP request triggering the vulnerability

GET /https_redirect.php?page=<script>alert('XSS')</script> HTTP/1.1
Host: [your-router-ip]

When the page parameter contains <script>alert('XSS')</script>, the server responds by embedding this value in its output without sanitizing it. The victim's browser then executes the script.

While the actual source code isn’t public, the issue likely looks like this

<?php
// https_redirect.php

if (isset($_GET['page'])) {
    $page = $_GET['page'];
    echo "You will be redirected to: $page";
    // ...rest of the code...
}
?>

Notice that $page is used directly without escaping. The attacker can inject HTML/JavaScript.

`

http://[router-ip]/https_redirect.php?page=alert('Hacked!')

Share this URL with a victim (phishing, email, messenger, etc.).

3. When Victim Clicks, their browser receives the server’s response, which includes the attacker's JavaScript.

Access the following link while connected to the admin network of the vulnerable device

http://192.168..1/https_redirect.php?page=<script>alert('Vulnerable!')</script>;

Browser Exploitation: By chaining with other attacks, could break browser security.

Note: The risk is lower unless a user clicks a specially-crafted link, but in corporate or ISP environments, this could facilitate a worm or automated attack.

Mitigation

- Update Firmware: Check if your ISP or CommScope has released a patched firmware addressing CVE-2023-27572. Install it as soon as possible.
- Web Security Best Practices: Never trust user input. Always escape outputs using proper encoding functions.

Network Monitoring: Watch for requests to https_redirect.php with suspicious parameters.

Temporary workaround: Limit access to the admin interface to trusted networks and users only.

References

- NVD - CVE-2023-27572 Entry
- Full Disclosure (Mailing List) Entry
- Arris/CommScope Official Site

Conclusion

Reflected XSS like CVE-2023-27572 is a common yet dangerous flaw in network devices like cable gateways. If you own or administer an Arris DG345, check your firmware and stay alert for firmware patches. Always beware of suspicious links, especially if you have device administration privileges.

Stay safe, patch promptly, and keep your devices secure!


*Feel free to share this post to help others understand and fix this issue. If you have more details or updates, leave a comment or contact us directly.*

Timeline

Published on: 04/15/2023 00:15:00 UTC
Last modified on: 04/21/2023 03:46:00 UTC