Cisco Details Security Vulnerability in Access Point Interface
TMCnet Executive Editor
Cisco Systems (News - Alert), the world’s leading supplier of networking gear, is warning that security vulnerabilities exist in its web-based interface software that could enable unauthorized hijacking of remote access points.
In security advisories posted on the Cisco Web site, the company outlined the vulnerability could, “under certain circumstances, remove the default security configuration from the managed access point and allow administrative access without validation of administrative user credentials.”
Successful exploitation of this vulnerability will result in unauthorized administrative access to the access point via the web management interface or via the console port. The products affected include: the 350 Wireless Access Point and
Bridge , 1100 Wireless Access Point, 1130 Wireless Access Point, 1200 Wireless Access Point, 1240 Wireless Access Point, 1310
Bridge and the 1410 Wireless Access Point.
Specifically, the vulnerability exists in the access point web-browser interface when “Security > Admin Access” is changed from Default Authentication (Global Password) to Local User List Only (Individual Passwords). This will result in the access point being re-configured with no security (either Global Password or Individual Passwords) enabled, allowing for open access to the access point via the web-browser interface or via the console port with no validation of user credentials.
Both Windows and Linux users are affected by the security vulnerabilities.
Cisco said it has made free software available to address this vulnerability for affected customers.
“There are workarounds available to mitigate the effects of this vulnerability,” the company said in its advisories.
The company added that advisories will be updated as additional software fixes becomes available. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.
Cisco officials couldn’t be immediately reached for comment.
Robert Liu is Executive Editor at TMCnet. Previously, he was Executive Editor at Jupitermedia and has also written for CNN, A&E, Dow Jones and Bloomberg. For more articles, please visit Robert Liu's columnist page.
[ Back To TMCnet.com's Homepage ]