From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 29 Jun 2006 14:23:16 +0200
Subject: [NEWS] Cisco Wireless Control System Multiple Vulnerabilities
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20060629170811.BEFC95809@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
X-Spam-Status: No, hits=4.059 tagged_above=2 required=5 tests=LONGWORDS,
MSGID_FROM_MTA_ID
X-Spam-Level: ****
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Cisco Wireless Control System Multiple Vulnerabilities
------------------------------------------------------------------------
SUMMARY
" <http://www.cisco.com/en/US/products/ps6305/index.html>; Cisco Wireless
Control System (WCS) is the industry leading platform for wireless LAN
planning, configuration, and management."
Improper handling of user input and design issues, allow attackers to
execute arbitrary code, retrieve and write information and gain
administrator privileges in Cisco's Wireless Control System.
DETAILS
Vulnerable Systems:
* WCS for Linux and Windows version 3.2(40) and prior
* WCS for Linux and Windows version 3.2(51) and prior
* WCS for Linux and Windows version 4.0(1) and prior
Cisco Wireless Control System (WCS) contains multiple vulnerabilities
which may allow a remote user to:
* access sensitive configuration information about access points managed
by WCS
* read from and write to arbitrary files on a WCS system
* log in to a WCS system with a default administrator password
* execute script code in a WCS user's web browser
* access directories which may reveal sensitive WCS configuration
information
Wireless Control System is a centralized, systems-level application for
managing and controlling lightweight access points and wireless LAN
controllers for the Cisco Unified Wireless Network.
WCS contains multiple vulnerabilities including information disclosure and
privilege escalation issues. The issues are detailed below:
* Remote users can connect to the WCS internal database with an
undocumented username and hard-coded password, gaining access to the
sensitive configuration information of managed wireless access points.
* The undocumented database username and password are present in several
WCS files in clear text.
* WCS installations contain the default administrator username root with
a default password of public. The password is not required to be changed
during installation or upon the initial login. There is a workaround for
this vulnerability.
* A remote user can read from or write to arbitrary locations in the
filesystem of a WCS system via the internal TFTP server. This problem only
occurs if the directory path chosen by the user during the installation of
WCS for the root of the internal TFTP server contains a space character.
There is a workaround for this vulnerability.
* The login page for the WCS HTTP interface does not completely sanitize
user-supplied data for malicious script code. This may result in the
ability for an attacker to entice a user to access a malicious URL which
executes arbitrary script code in the user's web browser.
* The WCS HTTP server does not completely secure certain directories,
potentially allowing access to sensitive information like WCS usernames
and directory paths.
These issues are documented by the following Cisco bug IDs:
* WCS DBserver is remotely accessible using Solid SQL and static password
* Database passwords are written in clear text on the program folders
* WCS ships with default administrator account and password
* WCS tftp read/writes to C:\ if given dir has a space
* Possible CSS attack on login page of WCS
* WCS allows unauthenticated access to user list and html files on server
Successful exploitation of the vulnerabilities presented in this advisory
have different impacts.
* May result in the exposure of sensitive configuration information for
wireless access points managed by the WCS server, including encryption
keys. With the encryption keys for managed wireless networks, an attacker
can intercept and decrypt network traffic.
* May allow an attacker to gain access to the WCS internal database.
* May allow an attacker to gain complete control of a WCS installation.
* May result in the ability to read from and write to arbitrary locations
in the filesystem of a system running WCS, including the ability to
overwrite and create new files.
* Exploitation may allow an attacker to execute arbitrary script code in
a user's web browser. This may be used to obtain sensitive session
information which can be used to access the WCS management interface.
* Exploitation may allow an attacker to obtain sensitive WCS
configuration data such as WCS usernames and directory installation paths.
Workaround:
There are are no workarounds for vulnerabilities described in default
database account and password, database user and password in clear text,
XSS and unprotected HTTP directories.
There is a workaround for the vulnerability described in default
administrator account and password. Users can change the password for the
root username via the WCS HTTP management interface. Select Administration
-> Accounts -> root to change the password.
There is a workaround for the vulnerability described in TFTP file read
and write. Follow these steps to mitigate the TFTP vulnerability.
* Stop the WCS service via Programs -> Wireless Control System ->
StopWCS.
* Edit the file \webnms\conf\NmsProcessesBE.conf. WCS is typically
installed in C:\Program Files\WCS32. Modify the section
# java com.adventnet.nms.tftp.NmsTftpServer [TFTP_ROOT_DIRECTORY
dir] [PORT portNo]
# RJS WARNING - If you change these lines, you must change the
installer.
PROCESS com.adventnet.nms.tftp.NmsTftpServer
ARGS TFTP_ROOT_DIRECTORY C:/some directory PORT 69
RETRIES 3 TIMEOUT 30000
by placing quotes around the directory path like "C:/some
directory".
* Start the WCS service via Programs -> Wireless Control System ->
StartWCS
ADDITIONAL INFORMATION
The information has been provided by <mailto:psirt@cisco.com.> Cisco
Systems Product Security.
The original article can be found at:
<http://www.cisco.com/warp/public/707/cisco-sa-20060628-wcs.shtml>;
http://www.cisco.com/warp/public/707/cisco-sa-20060628-wcs.shtml
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
