security.itworld.com
  Search  
Security Home Page Security Webcasts Security White Papers Security Newsletters Security News Security Topics Careers ITworld Voices ITwhirled The Security site of ITworld.com

Cisco warns of wireless security hole

 IDG News Service 4/7/04

Networking equipment maker Cisco Systems Inc. is warning customers about a security hole in two products used to manage wireless LANs and e-business services in corporate data centers.

On this topic
Spreading worm hits Nokia handsets
First Trojan reported for the iPhone
A Wi-Fi virus outbreak? Researchers say it's possible
Get practical tips, IT news, how-tos, and the best in tech humor.

The company said on Wednesday that a user name and password coded into some versions of its Wireless LAN Solution Engine and Hosting Solution Engine software could give attackers complete control of the devices. Attackers could use the default logins to hide rogue wireless access points on wireless LANs, create and modify user privileges or change configuration settings, Cisco said. The vulnerability affects versions 2.0, 2.0.2 and 2.5 of the Wireless LAN Solution Engine (WLSE) and versions 1.7, 1.7.1, 1.7.2 and 1.7.3 of the Hosting Solution Engine (HSE). The San Jose, California, posted software patches on its Web site for both products.

The WLSE product manages Cisco Aironet wireless LAN (WLAN) infrastructures, tying together different Aironet products, such as wireless access points, and making it easier for administrators to deploy, monitor and configure the devices on their WLAN. The WLSE also has security features that can spot unauthorized, or "rogue," access points and applying wireless networking security polices to devices on the network, Cisco said.

The HSE is a network management hardware appliance that uses the Cisco 1140 platform. The product maps out and then monitors the performance and integrity e-business services in data centers that use Cisco products.

A default user name and password combination were written, or "hard coded," into the software that runs on both devices and cannot be disabled. A malicious user who had the password would have complete control of the affected device, which could be used as a platform for further attacks, Cisco warned.

For the WLSE, having the default user name and password would give the malicious user the ability to cause system-wide outages by changing the radio frequency used to send data over the WLAN, or secretly install an unauthorized access point that could be used to gather confidential information from the WLAN.

For customers using the HSE, the default password could allow an attacker to redirect traffic from a Web site hosting e-business services, resulting in financial loss, Cisco said.

Cisco said it is not aware of any attacks that use the hard-coded login information, but advised customers to install the appropriate software patch.


Sponsored Links

Web Penetration & App Testing
Web Penetration Security Services. 300+ Clients. Free, Quick Quotes!
Sign up for a FREE NETWORK RISK ASSESSMENT!
MORE THAN 70% OF NETWORKS ARE INFECTED by hidden Malware. Find out if your network is infected now!
FREE DOWNLOAD: MITIGATING ROCK PHISH ATTACKS
Standard anti-phishing methods cannot defeat complex Rock Phish attacks. Learn how to fight back...
SOLVE SUPPORT ISSUES on the First Call!
REMOTELY CONTROL AND CONFIGURE SYSTEMS. Easily install applications, updates. All from your Desktop!
FREE Application Discovery Tool from Sophos
Scan your network for VoIP, IM, games and other potentially unwanted applications.
» Buy a link now

Advertisements
Sponsored links
KODAK i1400 Series Scanners stand up to the challenge
Locate Hidden Software on business PCs with this free tool
Bring harmony to your mix of UNIX-Linux-Windows computing environments
Top 5 Reasons to Combine App Performance and Security
Home  Vulnerabilities Network Wireless network
www.itworld.com    open.itworld.com     security.itworld.com     smallbusiness.itworld.com
storage.itworld.com     utilitycomputing.itworld.com     wireless.itworld.com

 
Contact Us   About Us   Privacy Policy    Terms of Service   Reprints  

CIO   Computerworld   CSO   GamePro   Games.net   IDG Connect   IDG World Expo   Infoworld   ITworld   JavaWorld   LinuxWorld  MacUser   Macworld   Network World   PC World   Playlist  

Copyright © Computerworld, Inc. All rights reserved

Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.