A new Cisco security warning reports that the company's wireless LAN management application has "multiple vulnerabilities" including one that lets a remote user log in with a default administrator password.
The warning lists six vulnerabilities, and says that workarounds are available for some but not all of them. The problems are part of Cisco's Wireless Control System (WCS), which is the software that handles network and RF management, location tracking, and intrusion detection and prevention for Cisco's controller-based WLANs.
The vulnerabilities are found in WCS for Linux and Windows, for Versions 3.2 and earlier, though in one case Version 4.0 is listed. Full details, including a .PDF version, are on the Cisco Web site.
Perhaps the most critical problem is an undocumented username and hard-coded password, by which a remote user can gain access to the WCS database, which stores configuration information for access points managed by the WCS server, including encryption keys. With those keys, an attacker can unscramble encrypted network traffic.
The attacker can potentially gain complete control of a WCS installation through the default administrator username "root" with a default password of "public." There is no requirement to change the password during installation or initial login. Cisco has a workaround for this vulnerability.
The username and password are in clear text in several WCS files.
Other vulnerabilities let attackers read from and write to arbitrary locations in the file system running WCS, execute script code in a user's Web browser, and obtain WCS usernames and directory installation paths.