CNET también está disponible en español.

Ir a español

Don't show this again

Cisco bug could put hackers in driver's seat

Cisco warns customers that a flaw in two of its management products could give hackers free rein on wireless and e-commerce networks.

Networking giant Cisco Systems warned customers on Wednesday about a security flaw that could compromise two products used to manage wireless local area network devices and data center switches.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

The company said in the warning posted on its Web site that a preset username and password coded into its Wireless LAN Solution Engine (WLSE) and Hosting Solution Engine (HSE) could give attackers complete control of the devices. Attackers could use this control to add new users, modify details of existing users or even change the device's configuration, the company said.

WLSE is software that manages Cisco Aironet Wi-Fi products such as the wireless access points. The product simplifies the configuration and monitoring of the Aironet devices. It also has security features that can detect unauthorized or . If an attacker is able to control this management tool, he or she could hide the presence of a rogue access point or change the radio frequency plan, potentially causing systemwide outages.

The HSE is an appliance that manages data center network infrastructure, such as switches that balance loads across e-business servers. The product allows authorized users to remotely monitor, activate and configure services and devices, even through firewalls. The security hole could allow attackers who gain access to the device to use it as a launching platform to redirect traffic coming into or out of the data center. Ultimately, this could result in network downtime and revenue loss.

The vulnerability affects WLSE versions 2.0, 2.0.2 and 2.5 and HSE versions 1.7 through 1.7.3. Cisco said there is no way to work around the problem and that it is urging customers to download software patches it has posted on its Web site.

Cisco said it isn't aware of any attacks that use the hard-coded log-in information.

Get Up to Speed on...
Get the latest headlines and
company-specific news in our
expanded GUTS section.

Cisco's wireless products have been the subject of several security warnings over the past year. In December, the company warned that some of its Aironet wireless access points were transmitting security keys over the air in unencrypted text, meaning that an eavesdropper could intercept them. With the keys, an attacker could easily break the encryption protecting Wi-Fi transmissions.

Back in July, the company discovered two other flaws that potentially compromised some access points. One security hole could have allowed an attacker to discover account names, while the second could freeze the access point and bring down the wireless access zone.

But it's not just the wireless products that have had serious security problems. The company has also issued warnings for its other products. In March, the company warned customers that software code exploiting nine vulnerabilities was found in its Internetwork Operating System. This software runs on most of Cisco's products, including its Catalyst Ethernet switches and Internet Protocol routers.

Autoplay: ON Autoplay: OFF