Cisco Wireless Control System (WCS) contains multiple vulnerabilities which may allow a remote user to: access sensitive configuration information about access points managed by WCS read from and write to arbitrary files on a WCS system log in to a WCS system with a default administrator password execute script code in a WCS user's web browser access directories which may reveal sensitive WCS configuration information There are workarounds for several, but not all, of these vulnerabilities. See the Workarounds section for more information. Cisco has made free software available to address these vulnerabilities for affected customers. This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20060628-wcs.
Cisco Wireless Control System (WCS) contains multiple vulnerabilities which may allow a remote user to:
There are workarounds for several, but not all, of these vulnerabilities. See the Workarounds section for more information. Cisco has made free software available to address these vulnerabilities for affected customers.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20060628-wcs.
This section provides details on affected products.
DDTS |
Affected Releases |
---|---|
CSCsd15955 |
WCS for Linux and Windows 3.2(40) and earlier |
CSCsd15951 |
WCS for Linux and Windows 3.2(51) and earlier |
CSCse21391 |
WCS for Linux and Windows 4.0(1) and earlier |
CSCsd71397 |
WCS for Linux and Windows 3.2(51) and earlier |
CSCse01127 |
WCS for Linux and Windows 3.2(51) and earlier |
CSCse01409 |
WCS for Linux and Windows 3.2(51) and earlier |
The version of WCS software installed on a particular device can be found via the WCS HTTP management interface. Select Help -> About the Software to obtain the software version.
The version of WCS software installed on a particular device can be found via the WCS HTTP management interface. Select Help -> About the Software to obtain the software version.
No other Cisco products are currently known to be affected by these vulnerabilities.
Wireless Control System is a centralized, systems-level application for managing and controlling lightweight access points and wireless LAN controllers for the Cisco Unified Wireless Network.
WCS contains multiple vulnerabilities including information disclosure and privilege escalation issues. The issues are detailed below:
These issues are documented by the following Cisco bug IDs:
There are are no workarounds for vulnerabilities described in CSCsd15955 (default database account and password), CSCsd15951 (database user and password in clear text), CSCse01127 (XSS) and CSCse01409 (unprotected HTTP directories).
There is a workaround for the vulnerability described in CSCse21391 (default administrator account and password). Users can change the password for the root username via the WCS HTTP management interface. Select Administration -> Accounts -> root to change the password.
There is a workaround for the vulnerability described in CSCsd71397 (TFTP file read and write). Follow these steps to mitigate the TFTP vulnerability.
by placing quotes around the directory path like "C:/some directory".# java com.adventnet.nms.tftp.NmsTftpServer [TFTP_ROOT_DIRECTORY dir] [PORT portNo] # RJS WARNING - If you change these lines, you must change the installer. PROCESS com.adventnet.nms.tftp.NmsTftpServer ARGS TFTP_ROOT_DIRECTORY C:/some directory PORT 69 RETRIES 3 TIMEOUT 30000
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
WCS version 4.0 can be obtained from http://www.cisco.com/pcgi-bin/tablebuild.pl/Wireless_Control_System_Software. Please contact the Cisco TAC to obtain earlier versions of WCS software.
Each row of the Cisco IOS software table (below) describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix (the "First Fixed Release") and the anticipated date of availability for each are listed in the "Rebuild" and "Maintenance" columns. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label).
For more information on the terms "Rebuild" and "Maintenance," consult the following URL:
http://www.cisco.com/warp/public/620/1.html
DDTS |
Affected Releases |
Fixed Releases |
---|---|---|
CSCsd15955 |
WCS for Linux and Windows 3.2(40) and earlier |
WCS for Linux and Windows 3.2(51) and later |
CSCsd15951 |
WCS for Linux and Windows 3.2(51) and earlier |
WCS for Linux and Windows 3.2(63) and later |
CSCse21391 |
WCS for Linux and Windows 4.0(1) and earlier |
WCS for Linux and Windows 4.1(83) and later |
CSCsd71397 |
WCS for Linux and Windows 3.2(51) and earlier |
WCS for Linux and Windows 3.2(63) and later |
CSCse01127 |
WCS for Linux and Windows 3.2(51) and earlier |
WCS for Linux and Windows 3.2(63) and later |
CSCse01409 |
WCS for Linux and Windows 3.2(51) and earlier |
WCS for Linux and Windows 3.2(63) and later |
Users of the 3.2 software version can upgrade to 3.2(63) to receive all fixes. CSCse21391 currently has no fix, although there is a workaround that will completely eliminate the vulnerability. Fixed software will be available in the fourth quarter of 2006.
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Revision 1.2 |
2007-June-01 |
Minor changes to Software Versions and Fixes Table for DDTS CSCse21391. |
Revision 1.1 |
2006-June-28 |
Minor changes to descriptions |
Revision 1.0 |
2006-June-28 |
Initial Public Release |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.