Cisco released an advisory
regarding three weaknesses in the Cisco Wireless Control System
. This is Cisco’s central platform for the management of their WLAN equipment.
- WCS apparently uses fixed and unchangeable authentication credentials on the FTP service used by the Wireless Location Appliances for backup purposes. Fixed in WCS 220.127.116.11. This is regular FTP, so these passwords can be sniffed off the network and re-used by an attacker.
- WCS suffers from a privilege escalation vulnerability that allows valid users to access information from any WCS configuration page (fixed in 18.104.22.168) or to become a member of the SuperUsers group (fixed in 22.214.171.124).
- Certain WCS directories are not password protected. This may lead to disclosure of private information such as access point location. Fixed in 126.96.36.199.
They also released a second advisory
on vulnerabilities in the Cisco Wireless LAN controller and their Lightweight Access Points. A number of fixed versions are pending release, so check the advisory for up-to-date information.
Applicable to the WLC are:
- Use of default community strings (public/private);
- The device may be crashed by sending malformed ethernet traffic;
- Some or all of the Network Processing Units within the WLC may be locked up by sending malformed traffic, including some SNAP packets, malformed 802.11 traffic or packets with unexpected length values in headers;
- WLAN ACLs could in some cases not survive a reboot.
The Cisco Aironet 1000 and 1500 lightweight access points are reported to contain a hard-coded service password. This is only available over a physical console connection, though.
Maarten Van Horenbeeck