Cisco released an advisory regarding three weaknesses in the Cisco Wireless Control System. This is Cisco’s central platform for the management of their WLAN equipment.

• WCS apparently uses fixed and unchangeable authentication credentials on the FTP service used by the Wireless Location Appliances for backup purposes. Fixed in WCS 4.0.96.0. This is regular FTP, so these passwords can be sniffed off the network and re-used by an attacker.
• WCS suffers from a privilege escalation vulnerability that allows valid users to access information from any WCS configuration page (fixed in 4.0.81.0) or to become a member of the SuperUsers group (fixed in 4.0.87.0).
• Certain WCS directories are not password protected. This may lead to disclosure of private information such as access point location. Fixed in 4.0.66.0.

They also released a second advisory on vulnerabilities in the Cisco Wireless LAN controller and their Lightweight Access Points. A number of fixed versions are pending release, so check the advisory for up-to-date information.

Applicable to the WLC are:

• Use of default community strings (public/private);
• The device may be crashed by sending malformed ethernet traffic;
• Some or all of the Network Processing Units within the WLC may be locked up by sending malformed traffic, including some SNAP packets, malformed 802.11 traffic or packets with unexpected length values in headers;
• WLAN ACLs could in some cases not survive a reboot.

The Cisco Aironet 1000 and 1500 lightweight access points are reported to contain a hard-coded service password. This is only available over a physical console connection, though.

--
Maarten Van Horenbeeck