|
 |
|
Cisco Products Multiple Vulnerabilities
|
|
|
|
|
Secunia Advisory:
|
SA24865
|
|
|
Release Date:
|
2007-04-13
|
|
Last Update:
|
2007-06-15
|
|
|
Critical:
|
Moderately critical
|
|
Impact:
|
Security Bypass
Manipulation of data
Exposure of system information
Exposure of sensitive information
Privilege escalation
DoS
System access
|
|
Where:
|
From remote
|
|
Solution Status:
|
Partial Fix
|
|
| OS: | Cisco 2000 Series Wireless LAN Controller
Cisco 2100 Series Wireless LAN Controller
Cisco 4400 Series Wireless LAN Controller
Cisco Aironet 1000 Series Access Point
Cisco Aironet 1500 Series Access Point
Cisco Catalyst 3750 Series Integrated Wireless LAN Controllers
Cisco Wireless LAN Controller Module
|
| | Software: | Cisco Catalyst 6500 Series Wireless Service Module (WiSM)
Cisco Wireless Control System (WCS)
|
| | CVE reference: | CVE-2007-2040 (Secunia mirror)
|
|
|
|
|
|
Description:
Some vulnerabilities and security issues have been reported in various Cisco products, which can be exploited by malicious users to gain escalated privileges, and by malicious people to disclose sensitive information, bypass certain security restrictions, manipulate certain data, cause a DoS (Denial of Service), or potentially compromise a vulnerable system.
1) The Cisco Wireless Control System (WCS) includes a fixed username and password for backup operations via FTP. This can be exploited to read from and write to arbitrary files on affected systems.
Successful exploitation potentially allows the server to be compromised, but requires knowledge of other properties of the FTP server.
The security issue has been reported in Cisco WCS prior to version 4.0.96.0.
2) An unspecified error exists in the WCS authentication system, which can be exploited by an authenticated user to change his account group membership.
Successful exploitation can allow full administrative control of the WCS, but requires a valid username and password.
The vulnerability is reported in Cisco WCS prior to version 4.0.87.0.
3) Certain directories in Cisco WCS are not password protected. These can be exploited to disclose certain system information, e.g. organization of the network including access point locations.
The security issue is reported in Cisco WCS prior to version 4.0.66.0.
4) The Cisco Wireless LAN Controller (WLC) includes hard-coded SNMP (Simple Network Management Protocol) community strings, which can be exploited to read and modify the configuration of the WLC via SNMP.
5) An error in the processing of ethernet traffic can be exploited to crash the WLC via specially crafted data sent over the local network.
Vulnerabilities #4 and #5 affect the following products:
* Cisco 2100 Series Wireless LAN Controllers
* Cisco 2000 Series Wireless LAN Controllers
* Cisco Wireless LAN Controller Module
* Cisco 4400 Series Wireless LAN Controllers
* Cisco 4100 Series Wireless LAN Controllers
* Cisco Catalyst 6500 Series Wireless Services Module (WiSM)
* Cisco Catalyst 3750 Series Integrated Wireless LAN Controllers
* Cisco Aironet 1000 Series
* Cisco Aironet 1500 Series
6) An error in Cisco WLC can be exploited to lock up NPUs (Network Processing Unit) via specially crafted packets sent over the local wireless network.
Successful exploitation results in a partial or complete DoS, depending on the number of NPUs available and the configuration of the device.
Vulnerability #6 affects the following products:
* Cisco 4400 Series Wireless LAN Controllers
* Cisco 4100 Series Wireless LAN Controllers
* Cisco Catalyst 6500 Series Wireless Services Module (WiSM)
* Cisco Catalyst 3750 Series Integrated Wireless LAN Controllers
* Cisco Wireless LAN Controller Module
* Cisco Aironet 1000 Series
* Cisco Aironet 1500 Series
NOTE: Devices that implement the WLC functionality in software do not contain an NPU and are not affected by this vulnerability.
7) The problem is caused due to the presence of a hard-coded password in Cisco Aironet. This can be exploited by a person with physical access to compromise an affected system.
This security issue affects Cisco Aironet 1000 Series and 1500 Series Lightweight Access Points.
Solution:
Update to the latest versions (see vendor advisories for details).
4) The vendor recommends changing the SNMP community strings from their default values (see vendor advisory for details). An update will reportedly be available April 19, 2007.
Provided and/or discovered by:
Reported by the vendor.
Changelog:
2007-04-17: Updated Advisory.
2007-06-15: Added CVE reference.
Original Advisory:
http://www.cisco.com/warp/public/707/cisco-sa-20070412-wcs.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20070412-wlc.shtml
|
|
|
|
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
|
6 Related Secunia Security Advisories
|
|
|
1. Cisco Wireless Control System Apache Tomcat JK Web Server Connector Buffer Overflow
|
|
2. Cisco Multiple Products Wireless ARP Requests Denial of Service
|
|
3. Cisco Multiple Products Online Help System Cross-Site Scripting
|
|
4. Cisco Wireless Control System Multiple Vulnerabilities
|
|
5. Cisco Products OpenSSL Potential SSL 2.0 Rollback Vulnerability
|
|
6. Cisco Wireless LAN Controllers Encryption Bypass Vulnerability
|
|
|
Send Feedback to Secunia
|
|
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback are most welcome.
|
|
|
|
|
|
Secunia PSI
Scan | Patch | Track
Free Download
|
|
|
Secunia Poll
|
|
|
|
|
 |
|
|
Most Popular Advisories
|
|
|
|
|
|
