-
A default username/password pair is present in all releases of the Wireless LAN Solution Engine (WLSE) and Hosting Solution Engine (HSE) software. A user who logs in using this username has complete control of the device. This username cannot be disabled. There is no workaround.
This advisory is available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20040407-username.
-
This section provides details on affected products.
Vulnerable Products
These products are vulnerable:
-
The affected software releases for WLSE are 2.0, 2.0.2 and
2.5.
-
The affected software releases for HSE are 1.7, 1.7.1, 1.7.2 and
1.7.3.
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
-
The affected software releases for WLSE are 2.0, 2.0.2 and
2.5.
-
A hardcoded username and password pair is present in all software releases for all models of WLSE and HSE devices.
This vulnerability is documented in the Cisco Bug Toolkit as Bug ID CSCsa11583 ( registered customers only) for the WLSE and CSCsa11584 ( registered customers only) for the HSE.
CiscoWorks WLSE provides centralized management for the Cisco Wireless LAN infrastructure. It unifies the other components in the solution and actively employs them to provide continual "Air/RF" monitoring, network security, and optimization. The CiscoWorks WLSE also assists network managers by automating and simplifying mass configuration deployment, fault monitoring and alerting.
Cisco Hosting Solution Engine is a hardware-based solution to monitor and activate a variety of e-business services in Cisco powered data centers. It provides fault and performance information about the Layer 2-3 hosting infrastructure and Layer 4-7 hosted services.
-
There is no workaround.
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.
For WLSE, users need to install the WLSE-2.x-CSCsa11583-K9.zip patch. The patch can be downloaded from http://www.cisco.com/pcgi-bin/tablebuild.pl/wlan-sol-eng ( registered customers only) . Installation instructions are included in the accompanying README file, WLSE-2.x-CSCsa11583-K9.readmeV3.txt, in that same download directory. This patch is applicable to WLSE 1105 and 1130 software releases 2.0, 2.0.2 and 2.5.
For HSE, users need to install the HSE-1.7.x-CSCsa11584.zip patch. The patch can be downloaded from http://www.cisco.com/pcgi-bin/tablebuild.pl/1105-host-sol ( registered customers only) . Installation instructions are included in the accompanying README file, HSE-1.7.x-CSCsa11584.readme.txt, in that same download directory. This patch is applicable to HSE 1105 for versions 1.7, 1.7.1, 1.7.2, and 1.7.3.
-
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.4
2004-April-12
Fixed URL for Cisco.com Downloads under Obtaining Fixed Software section.
Revision 1.3
2004-April-08
Updated Software Versions and Fixes section.
Revision 1.2
2004-April-08
Updated to include WLSE 1105 in Software Versions and Fixes section.
Revision 1.1
2004-April-07
Correction in the Obtaining Fixed Software section.
Revision 1.0
2004-April-07
Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.