Cisco bug could put hackers in driver's seat
Cisco warns customers that a flaw in two of its management products could give hackers free rein on wireless and e-commerce networks.
 | ||||
| | | ||
| Get Up to Speed on... Enterprise security  Get the latest headlines and company-specific news in our expanded GUTS section. | | ||
| ||||
| ||||
The company said in the warning posted on its Web site that a preset username and password coded into its Wireless LAN Solution Engine (WLSE) and Hosting Solution Engine (HSE) could give attackers complete control of the devices. Attackers could use this control to add new users, modify details of existing users or even change the device's configuration, the company said.
WLSE is software that manages Cisco Aironet Wi-Fi products such as the wireless access points. The product simplifies the configuration and monitoring of the Aironet devices. It also has security features that can detect unauthorized or
The HSE is an appliance that manages data center network infrastructure, such as switches that balance loads across e-business servers. The product allows authorized users to remotely monitor, activate and configure services and devices, even through firewalls. The security hole could allow attackers who gain access to the device to use it as a launching platform to redirect traffic coming into or out of the data center. Ultimately, this could result in network downtime and revenue loss.
The vulnerability affects WLSE versions 2.0, 2.0.2 and 2.5 and HSE versions 1.7 through 1.7.3. Cisco said there is no way to work around the problem and that it is urging customers to download software patches it has posted on its Web site.
Cisco said it isn't aware of any attacks that use the hard-coded log-in information.
| ||||
| | | ||
| Get Up to Speed on... Wi-Fi Get the latest headlines and company-specific news in our expanded GUTS section. | | ||
| ||||
| ||||
Cisco's wireless products have been the subject of several security warnings over the past year. In December, the company warned that some of its Aironet wireless access points were transmitting security keys over the air in unencrypted text, meaning that an eavesdropper could intercept them. With the keys, an attacker could easily break the encryption protecting Wi-Fi transmissions.
Back in July, the company discovered two other flaws that potentially compromised some access points. One security hole could have allowed an attacker to discover account names, while the second could freeze the access point and bring down the wireless access zone.
But it's not just the wireless products that have had serious security problems. The company has also issued warnings for its other products. In March, the company warned customers that software code exploiting nine vulnerabilities was found in its Internetwork Operating System. This software runs on most of Cisco's products, including its Catalyst Ethernet switches and Internet Protocol routers.