|
Cisco Products Multiple Vulnerabilities
|
|
Secunia Advisory:
|
SA24865
|
|
|
Release Date:
|
2007-04-13
|
|
Last Update:
|
2007-06-15
|
|
Popularity:
|
7,316 views
|
|
|
Critical:
|
Moderately critical
|
|
Impact:
|
Security Bypass
Manipulation of data
Exposure of system information
Exposure of sensitive information
Privilege escalation
DoS
System access
|
|
Where:
|
From remote
|
|
Solution Status:
|
Partial Fix
|
|
| OS: | Cisco 2000 Series Wireless LAN Controller
Cisco 2100 Series Wireless LAN Controller
Cisco 4400 Series Wireless LAN Controller
Cisco Aironet 1000 Series Access Point
Cisco Aironet 1500 Series Access Point
Cisco Catalyst 3750 Series Integrated Wireless LAN Controllers
Cisco Wireless LAN Controller Module
|
|
| Software: | Cisco Catalyst 6500 Series Wireless Service Module (WiSM)
Cisco Wireless Control System (WCS)
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities 
|
|
| CVE reference: | CVE-2007-2040
|
|
Description:
Some vulnerabilities and security issues have been reported in various Cisco products, which can be exploited by malicious users to gain escalated privileges, and by malicious people to disclose sensitive information, bypass certain security restrictions, manipulate certain data, cause a DoS (Denial of Service), or potentially compromise a vulnerable system.
1) The Cisco Wireless Control System (WCS) includes a fixed username and password for backup operations via FTP. This can be exploited to read from and write to arbitrary files on affected systems.
Successful exploitation potentially allows the server to be compromised, but requires knowledge of other properties of the FTP server.
The security issue has been reported in Cisco WCS prior to version 4.0.96.0.
2) An unspecified error exists in the WCS authentication system, which can be exploited by an authenticated user to change his account group membership.
Successful exploitation can allow full administrative control of the WCS, but requires a valid username and password.
The vulnerability is reported in Cisco WCS prior to version 4.0.87.0.
3) Certain directories in Cisco WCS are not password protected. These can be exploited to disclose certain system information, e.g. organization of the network including access point locations.
The security issue is reported in Cisco WCS prior to version 4.0.66.0.
4) The Cisco Wireless LAN Controller (WLC) includes hard-coded SNMP (Simple Network Management Protocol) community strings, which can be exploited to read and modify the configuration of the WLC via SNMP.
5) An error in the processing of ethernet traffic can be exploited to crash the WLC via specially crafted data sent over the local network.
Vulnerabilities #4 and #5 affect the following products:
* Cisco 2100 Series Wireless LAN Controllers
* Cisco 2000 Series Wireless LAN Controllers
* Cisco Wireless LAN Controller Module
* Cisco 4400 Series Wireless LAN Controllers
* Cisco 4100 Series Wireless LAN Controllers
* Cisco Catalyst 6500 Series Wireless Services Module (WiSM)
* Cisco Catalyst 3750 Series Integrated Wireless LAN Controllers
* Cisco Aironet 1000 Series
* Cisco Aironet 1500 Series
6) An error in Cisco WLC can be exploited to lock up NPUs (Network Processing Unit) via specially crafted packets sent over the local wireless network.
Successful exploitation results in a partial or complete DoS, depending on the number of NPUs available and the configuration of the device.
Vulnerability #6 affects the following products:
* Cisco 4400 Series Wireless LAN Controllers
* Cisco 4100 Series Wireless LAN Controllers
* Cisco Catalyst 6500 Series Wireless Services Module (WiSM)
* Cisco Catalyst 3750 Series Integrated Wireless LAN Controllers
* Cisco Wireless LAN Controller Module
* Cisco Aironet 1000 Series
* Cisco Aironet 1500 Series
NOTE: Devices that implement the WLC functionality in software do not contain an NPU and are not affected by this vulnerability.
7) The problem is caused due to the presence of a hard-coded password in Cisco Aironet. This can be exploited by a person with physical access to compromise an affected system.
This security issue affects Cisco Aironet 1000 Series and 1500 Series Lightweight Access Points.
Solution:
Update to the latest versions (see vendor advisories for details).
4) The vendor recommends changing the SNMP community strings from their default values (see vendor advisory for details). An update will reportedly be available April 19, 2007.
Provided and/or discovered by:
Reported by the vendor.
Changelog:
2007-04-17: Updated Advisory.
2007-06-15: Added CVE reference.
Original Advisory:
http://www.cisco.com/warp/public/707/cisco-sa-20070412-wcs.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20070412-wlc.shtml
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
