Cisco Issues WCS Warning

Top-ranked enterprise wireless networking vendor Cisco has put out a security advisory warning that its WiFi management software platform has vulnerabilities that could potentially make it possible for malicious users to gain access to sensitive information.

Cisco is warning that there exists in its Wireless Control System (WCS) an undocumented hard-coded username and password that could be used to gain access to internal configuration data about access points managed via the WCS. The security issue has been reported in WCS for Linux and Windows 3.2(40) and prior. WCS is Cisco's platform for wireless LAN planning, configuration, RF management, location tracking, intrusion prevention, monitoring, and management.

Malicious local users could also potentially exploit the fact that an undocumented database username and password are stored in clear text in several WCS files -- once again leaving the internal database vulnerable.

These initially appear to be the two most easily exploitable security weaknesses. Cisco is also warning, however, about a couple of flaws in the software itself that could be used to gain access to directories or user sessions.

Security firm Secunia is describing the alert as "moderately critical" and says that overall the vulnerabilities could allow malicious users to access "sensitive information, conduct cross-site scripting attacks, bypass certain security restrictions, and potentially compromise a vulnerable system.

Cisco says in its advisory that it has workarounds for some but not all of the vulnerabilities.

— Dan Jones, Site Editor, Unstrung