Feeds

Cisco fixes Aironet vuln

Firmware upgrade for IOS flavours

  • alert
  • submit to reddit

Business security measures using SSL

Cisco Systems yesterday released a fix for a security vulnerability affecting its Aironet 1100, 1200 and 1400 series wireless access points.

Vulnerable Cisco Aironet Access Points can be forced to crash and reboot on receipt of maliciously constructed traffic, security consulting firm VIGILANTe (which discovered the problem) warns. The flaw arises only when the HTTP server feature on access points is enabled. However there is no need to authenticate to perform this attack, only access to the web server is required.

Cisco has confirmed the flaw, acknowledging that repeated exploitation of the vulnerability could lead to prolonged Denial-of-Service attacks on vulnerable access points.

The networking giant says it has received no reports of malicious exploitati.

The vuln affects only IOS-based Cisco Aironet Wireless products, according to Cisco. VxWorks-based Cisco Aironet Wireless Devices are not affected. Cisco has released an advisory explaining how users can obtain a free firmware upgrade to non-vulnerable versions of IOS, and detailing workarounds involving setting up access control lists to defend against the threat.

VIGILANTe also released a second advisory yesterday involving a less serious information disclosure vulnerability concerning Cisco's access points. Malicious attackers able to Telnet into a vulnerable access point might be able to obtain a list of usernames (but not passwords). This information might then be used in subsequent attacks.

Cisco says this flaw is generic to IOS and is covered in a separate advisory here.

Users are advised to upgrade their software. In advance of applying a fix, admins might decide to disable Telnet access and use SSH instead as a workaround. ®

Security and trust: The backbone of doing business over the internet

More from The Register

next story
Brit telcos warn Scots that voting Yes could lead to HEFTY bills
BT and Co: Independence vote likely to mean 'increased costs'
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
ISPs' post-net-neutrality world is built on 'bribes' says Tim Berners-Lee
Father of the worldwide web is extremely peeved over pay-per-packet-type plans
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
Radio hams can encrypt, in emergencies, says Ofcom
Consultation promises new spectrum and hints at relaxed licence conditions
Google+ GOING, GOING ... ? Newbie Gmailers no longer forced into mandatory ID slurp
Mountain View distances itself from lame 'network thingy'
Blockbuster book lays out the first 20 years of the Smartphone Wars
Symbian's David Wood bares all. Not for the faint hearted
Bonking with Apple has POUNDED mobe operators' wallets
... into submission. Weve squeals, ditches payment plans
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.