Cisco admins gear up for a late night – hardcoded password in wireless points nuked
Wi-Fi gear, WLAN controllers, ISE get security patches
Cisco sysadmins have a busy day ahead of them, with vulnerabilities announced in wireless LAN controllers, the Cisco Identity Services Engine, and Aironet access points.
The Aironet 1800 series flaw, CVE-2015-6336, is that old favorite: a hardcoded static password granting access to the device.
Luckily, the account with the hardwired credential doesn't have admin privilege, so Cisco reckons its exposure is limited to denial-of-service attacks. The access points that need updating are the 1830e, 1830i, 1850e and 1850i.
There are two bugs in the Identity Services Engine. The bug CVE-2015-6317 gives a remote attacker access to “specific web resources” intended for admins.
A more serious bug is CVE-2015-6323, in which unauthenticated remote attackers can gain admin access to the device. Various versions of the ISE devices' software versions are vulnerable, and patches have been released.
Ciscos' Wireless LAN Controller (WLC) software has a critical vulnerability, CVE-2015-6314, that gives remote attackers access to device configuration.
Depending on software version, it could be present in 2500 Series controllers, 5500 Series controllers, 8500 Series controllers, Cisco Flex 7500 Series controllers, and Cisco Virtual Wireless controllers.
There's also a follow-up to the company's December 2015 OpenSSL advisory, with an expanded list of vulnerable products. ®