Cisco Systems Inc. has fixed a variety of security holes in its wireless programs that online outlaws could exploit to bypass security features, access sensitive data, launch cross-site scripting attacks and do other damage.
The first problem affects the Cisco Wireless Control System (WCS), a platform designed to help enterprises design, control and monitor Cisco wireless LANs. According to the San Jose, Calif.-based networking giant, remote attackers could exploit the flaws to:
Access sensitive configuration information about access points managed by WCS;
Read from and write to arbitrary files on a WCS system;
Log in to a WCS system with a default administrator password;
Execute script code in a WCS user's web browser; and
Access directories that may reveal sensitive WCS configuration information.
Danish vulnerability clearinghouse Secunia provided the following description of the flaws in its advisory:
An undocumented username and hard-coded password exists in the WCS. This can be exploited to connect to the WCS internal database and to gain access to the configuration information of managed wireless access points. The security issue has been reported in WCS for Linux and Windows 3.2(40) and prior.
Undocumented database usernames and passwords are stored in clear text in several WCS files. This can potentially be exploited by local users to gain knowledge of the user credentials and to gain access to the database. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior.
An error within the internal TFTP server allows reading from or writing to arbitrary locations in the file system of a WCS system. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior.
Input passed to the unspecified parameter in the login page is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior.
An access control error within the WCS HTTP server can be exploited to gain access to certain directories, which may contain sensitive information like WCS usernames and directory paths. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior.
The solution is to update to WCS for Linux and Windows 3.2(63) or later.
The second problem affects Cisco Wireless Access Point and can be exploited to bypass security restrictions.
"The vulnerability is caused due to an error within the Web management interface when the admin access configuration has been changed from 'Default Authentication' to 'Local User List Only,'" Secunia said. "This causes the access point to be reconfigured with no security enabled, thus allowing open access to the access point via the web interface or via the console port with no validation of user credentials."
The flaw has been reported in the following products when running Cisco IOS Software Release 12.3(8)JA or 12.3(8)JA1:
350 Wireless Access Point and Wireless Bridge
1100 Wireless Access Point
1130 Wireless Access Point
1200 Wireless Access Point
1240 Wireless Access Point
1310 Wireless Bridge
1410 Wireless Access Point
The solution is to update to Cisco IOS Software Release 12.3(8)JA2.