Cisco kills hardcoded password bug in Wi-Fi access points

Along with fixes for a number of older vulnerabilities in Cisco IOS and IOS XE software, the Cisco IOS Software Common Industrial Protocol, and the OpenSSL package incorporated in multiple company products, Cisco Systems has pushed out security updates that plug unauthorized access and default account/static password vulnerabilities in some of its offerings.

The most serious of these are CVE-2015-6323, a bug in the Admin portal of devices running Cisco Identity Services Engine (ISE) software, which could allow an unauthenticated, remote attacker to gain unauthorized access to an affected device and effect complete compromise of it; and CVE-2015-6314, a same type of vulnerability affecting devices running Cisco Wireless LAN Controller (WLC) software.

Both bugs have been deemed “critical,” and have received the maximum CVSS base score of 10.0.

A high-risk vulnerability (CVE-2015-6336) in Cisco Aironet 1800 Series Access Point devices has also been patched.

The bug could be exploited by unauthenticated, remote attackers to log in to the device by using a default account that has a static password. What makes this bug less serious than the previous ones is that, by default, this default account does not have full administrative privileges, and that means that the attackers ability to tamper with the device is restricted.

To see whether your software/devices are affected, check out the security advisories for each bug, and apply the appropriate updates – there are no workarounds for any of these vulnerabilities.

According to the advisories, all of these bugs were discovered by Cisco during internal testing.

As a reminder: in the wake of the discovery of two backdoors on Juniper’s NetScreen firewall devices, Cisco Systems recently announced that they will be reviewing the software running on their devices, and that they would be searching for backdoors, hardcoded or undocumented account credentials, covert communication channels and undocumented traffic diversions.

Whether these latest patched flaws were found during this auditing effort is unknown.