Cisco Issues WCS WarningCisco Issues WCS Warning
WiFi management platform turns up with a handful of vulnerabilities
June 29, 2006
Top-ranked enterprise wireless networking vendor Cisco has put out a security advisory warning that its WiFi management software platform has vulnerabilities that could potentially make it possible for malicious users to gain access to sensitive information.
Cisco is warning that there exists in its Wireless Control System (WCS) an undocumented hard-coded username and password that could be used to gain access to internal configuration data about access points managed via the WCS. The security issue has been reported in WCS for Linux and Windows 3.2(40) and prior. WCS is Cisco's platform for wireless LAN planning, configuration, RF management, location tracking, intrusion prevention, monitoring, and management.
Malicious local users could also potentially exploit the fact that an undocumented database username and password are stored in clear text in several WCS files -- once again leaving the internal database vulnerable.
These initially appear to be the two most easily exploitable security weaknesses. Cisco is also warning, however, about a couple of flaws in the software itself that could be used to gain access to directories or user sessions.
Security firm Secunia is describing the alert as "moderately critical" and says that overall the vulnerabilities could allow malicious users to access "sensitive information, conduct cross-site scripting attacks, bypass certain security restrictions, and potentially compromise a vulnerable system.
Cisco says in its advisory that it has workarounds for some but not all of the vulnerabilities.
— Dan Jones, Site Editor, Unstrung
About the Author(s)
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023