|
|
|
|
| |
"Cisco Wireless Control System (WCS) is the industry leading platform for wireless LAN planning, configuration, and management."
Improper handling of user input and design issues, allow attackers to execute arbitrary code, retrieve and write information and gain administrator privileges in Cisco's Wireless Control System. |
| |
Credit:
The information has been provided by Cisco Systems Product Security.
The original article can be found at: http://www.cisco.com/warp/public/707/cisco-sa-20060628-wcs.shtml
|
| |
Vulnerable Systems:
* WCS for Linux and Windows version 3.2(40) and prior
* WCS for Linux and Windows version 3.2(51) and prior
* WCS for Linux and Windows version 4.0(1) and prior
Cisco Wireless Control System (WCS) contains multiple vulnerabilities which may allow a remote user to:
* access sensitive configuration information about access points managed by WCS
* read from and write to arbitrary files on a WCS system
* log in to a WCS system with a default administrator password
* execute script code in a WCS user's web browser
* access directories which may reveal sensitive WCS configuration information
Wireless Control System is a centralized, systems-level application for managing and controlling lightweight access points and wireless LAN controllers for the Cisco Unified Wireless Network.
WCS contains multiple vulnerabilities including information disclosure and privilege escalation issues. The issues are detailed below:
* Remote users can connect to the WCS internal database with an undocumented username and hard-coded password, gaining access to the sensitive configuration information of managed wireless access points.
* The undocumented database username and password are present in several WCS files in clear text.
* WCS installations contain the default administrator username root with a default password of public. The password is not required to be changed during installation or upon the initial login. There is a workaround for this vulnerability.
* A remote user can read from or write to arbitrary locations in the filesystem of a WCS system via the internal TFTP server. This problem only occurs if the directory path chosen by the user during the installation of WCS for the root of the internal TFTP server contains a space character. There is a workaround for this vulnerability.
* The login page for the WCS HTTP interface does not completely sanitize user-supplied data for malicious script code. This may result in the ability for an attacker to entice a user to access a malicious URL which executes arbitrary script code in the user's web browser.
* The WCS HTTP server does not completely secure certain directories, potentially allowing access to sensitive information like WCS usernames and directory paths.
These issues are documented by the following Cisco bug IDs:
* WCS DBserver is remotely accessible using Solid SQL and static password
* Database passwords are written in clear text on the program folders
* WCS ships with default administrator account and password
* WCS tftp read/writes to C:\ if given dir has a space
* Possible CSS attack on login page of WCS
* WCS allows unauthenticated access to user list and html files on server
Successful exploitation of the vulnerabilities presented in this advisory have different impacts.
* May result in the exposure of sensitive configuration information for wireless access points managed by the WCS server, including encryption keys. With the encryption keys for managed wireless networks, an attacker can intercept and decrypt network traffic.
* May allow an attacker to gain access to the WCS internal database.
* May allow an attacker to gain complete control of a WCS installation.
* May result in the ability to read from and write to arbitrary locations in the filesystem of a system running WCS, including the ability to overwrite and create new files.
* Exploitation may allow an attacker to execute arbitrary script code in a user's web browser. This may be used to obtain sensitive session information which can be used to access the WCS management interface.
* Exploitation may allow an attacker to obtain sensitive WCS configuration data such as WCS usernames and directory installation paths.
Workaround:
There are are no workarounds for vulnerabilities described in default database account and password, database user and password in clear text, XSS and unprotected HTTP directories.
There is a workaround for the vulnerability described in default administrator account and password. Users can change the password for the root username via the WCS HTTP management interface. Select Administration -> Accounts -> root to change the password.
There is a workaround for the vulnerability described in TFTP file read and write. Follow these steps to mitigate the TFTP vulnerability.
* Stop the WCS service via Programs -> Wireless Control System -> StopWCS.
* Edit the file \webnms\conf\NmsProcessesBE.conf. WCS is typically installed in C:\Program Files\WCS32. Modify the section
# java com.adventnet.nms.tftp.NmsTftpServer [TFTP_ROOT_DIRECTORY dir] [PORT portNo]
# RJS WARNING - If you change these lines, you must change the installer.
PROCESS com.adventnet.nms.tftp.NmsTftpServer
ARGS TFTP_ROOT_DIRECTORY C:/some directory PORT 69 RETRIES 3 TIMEOUT 30000
by placing quotes around the directory path like "C:/some directory".
* Start the WCS service via Programs -> Wireless Control System -> StartWCS
|
|
|
|
|
|
|
