Summary

• Cisco Wireless Control System (WCS) contains multiple vulnerabilities which may allow a remote user to:

  • access sensitive configuration information about access points managed by WCS
    
  • read from and write to arbitrary files on a WCS system
    
  • log in to a WCS system with a default administrator password
    
  • execute script code in a WCS user's web browser
    
  • access directories which may reveal sensitive WCS configuration information
    

  There are workarounds for several, but not all, of these vulnerabilities. See the Workarounds section for more information. Cisco has made free software available to address these vulnerabilities for affected customers.

  This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20060628-wcs.

Affected Products

• This section provides details on affected products.

  Vulnerable Products

  DDTS	Affected Releases
  CSCsd15955	WCS for Linux and Windows 3.2(40) and earlier
  CSCsd15951	WCS for Linux and Windows 3.2(51) and earlier
  CSCse21391	WCS for Linux and Windows 4.0(1) and earlier
  CSCsd71397	WCS for Linux and Windows 3.2(51) and earlier
  CSCse01127	WCS for Linux and Windows 3.2(51) and earlier
  CSCse01409	WCS for Linux and Windows 3.2(51) and earlier

  The version of WCS software installed on a particular device can be found via the WCS HTTP management interface. Select Help -> About the Software to obtain the software version.

  The version of WCS software installed on a particular device can be found via the WCS HTTP management interface. Select Help -> About the Software to obtain the software version.

  Products Confirmed Not Vulnerable

  No other Cisco products are currently known to be affected by these vulnerabilities.

Details

• Wireless Control System is a centralized, systems-level application for managing and controlling lightweight access points and wireless LAN controllers for the Cisco Unified Wireless Network.

  WCS contains multiple vulnerabilities including information disclosure and privilege escalation issues. The issues are detailed below:

  • CSCsd15955 ( registered customers only) —Remote users can connect to the WCS internal database with an undocumented username and hard-coded password, gaining access to the sensitive configuration information of managed wireless access points.
    
  • CSCsd15951 ( registered customers only) —The undocumented database username and password are present in several WCS files in clear text.
    
  • CSCse21391 ( registered customers only) —WCS installations contain the default administrator username root with a default password of public. The password is not required to be changed during installation or upon the initial login. There is a workaround for this vulnerability.
    
  • CSCsd71397 ( registered customers only) —A remote user can read from or write to arbitrary locations in the filesystem of a WCS system via the internal TFTP server. This problem only occurs if the directory path chosen by the user during the installation of WCS for the root of the internal TFTP server contains a space character. There is a workaround for this vulnerability.
    
  • CSCse01127 ( registered customers only) —The login page for the WCS HTTP interface does not completely sanitize user-supplied data for malicious script code. This may result in the ability for an attacker to entice a user to access a malicious URL which executes arbitrary script code in the user's web browser.
    
  • CSCse01409 ( registered customers only) —The WCS HTTP server does not completely secure certain directories, potentially allowing access to sensitive information like WCS usernames and directory paths.
    

  These issues are documented by the following Cisco bug IDs:

  • CSCsd15955 ( registered customers only) —WCS DBserver is remotely accessible using Solid SQL and static password
    
  • CSCsd15951 ( registered customers only) —Database passwords are written in clear text on the program folders
    
  • CSCse21391 ( registered customers only) —WCS ships with default administrator account and password
    
  • CSCsd71397 ( registered customers only) —WCS tftp read/writes to C:\ if given dir has a space
    
  • CSCse01127 ( registered customers only) —Possible CSS attack on login page of WCS
    
  • CSCse01409 ( registered customers only) —WCS allows unauthenticated access to user list and html files on server
    

Workarounds

• There are are no workarounds for vulnerabilities described in CSCsd15955 (default database account and password), CSCsd15951 (database user and password in clear text), CSCse01127 (XSS) and CSCse01409 (unprotected HTTP directories).

  There is a workaround for the vulnerability described in CSCse21391 (default administrator account and password). Users can change the password for the root username via the WCS HTTP management interface. Select Administration -> Accounts -> root to change the password.

  There is a workaround for the vulnerability described in CSCsd71397 (TFTP file read and write). Follow these steps to mitigate the TFTP vulnerability.

  • Stop the WCS service via Programs -> Wireless Control System -> StopWCS.
    
  • Edit the file \webnms\conf\NmsProcessesBE.conf. WCS is typically installed in C:\Program Files\WCS32. Modify the section
    

    # java com.adventnet.nms.tftp.NmsTftpServer [TFTP_ROOT_DIRECTORY dir] [PORT portNo]
    # RJS WARNING - If you change these lines, you must change the installer.
    PROCESS             com.adventnet.nms.tftp.NmsTftpServer
    ARGS            TFTP_ROOT_DIRECTORY C:/some directory PORT 69 RETRIES 3 TIMEOUT 30000
    

    by placing quotes around the directory path like "C:/some directory".
    
  • Start the WCS service via Programs -> Wireless Control System -> StartWCS.
    

Fixed Software

• When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.

  In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.

  WCS version 4.0 can be obtained from http://www.cisco.com/pcgi-bin/tablebuild.pl/Wireless_Control_System_Software. Please contact the Cisco TAC to obtain earlier versions of WCS software.

  Each row of the Cisco IOS software table (below) describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix (the "First Fixed Release") and the anticipated date of availability for each are listed in the "Rebuild" and "Maintenance" columns. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label).

  For more information on the terms "Rebuild" and "Maintenance," consult the following URL:

  http://www.cisco.com/warp/public/620/1.html

  DDTS	Affected Releases	Fixed Releases
  CSCsd15955	WCS for Linux and Windows 3.2(40) and earlier	WCS for Linux and Windows 3.2(51) and later
  CSCsd15951	WCS for Linux and Windows 3.2(51) and earlier	WCS for Linux and Windows 3.2(63) and later
  CSCse21391	WCS for Linux and Windows 4.0(1) and earlier	WCS for Linux and Windows 4.1(83) and later
  CSCsd71397	WCS for Linux and Windows 3.2(51) and earlier	WCS for Linux and Windows 3.2(63) and later
  CSCse01127	WCS for Linux and Windows 3.2(51) and earlier	WCS for Linux and Windows 3.2(63) and later
  CSCse01409	WCS for Linux and Windows 3.2(51) and earlier	WCS for Linux and Windows 3.2(63) and later

  Users of the 3.2 software version can upgrade to 3.2(63) to receive all fixes. CSCse21391 currently has no fix, although there is a workaround that will completely eliminate the vulnerability. Fixed software will be available in the fourth quarter of 2006.

Exploitation and Public Announcements

• The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.

URL

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20060628-wcs

Revision History

• Revision 1.2	2007-June-01	Minor changes to Software Versions and Fixes Table for DDTS CSCse21391.
  Revision 1.1	2006-June-28	Minor changes to descriptions
  Revision 1.0	2006-June-28	Initial Public Release

  Show Less