Cisco Kills Hardcoded Password In Software Devices
Wi-Fi gear, WLAN controllers, and ISE.Cisco are the wireless devices designed by Cisco with hardcoded passwords. Recently two critical vulnerabilities that can completely compromise to nay devices its software.
There are two most serious vulnerabilities:
CVE-2015-6323:- It is a bug which reside in the Admin portal of devices running Cisco Identity Services Engine (ISE) software. It provides unauthorized and unauthenticated access to attackers.
CVE-2015-6314: It is running on the Cisco Wireless LAN Controller (WLC) software same as the above vulnerabilities.
CVE-2015-6336: It is vulnerability risk in Cisco Aironet 1800 Series Access Point devices.
All above bugs received a maximum CVSS base score of 10.0 and are too “critical”.
CVE-2015-6336, this critical bug has been patched by the Cisco.
It enables the attackers to log into the device with a default account that has the static password. The reason that this bug is not so much dangerous than the other two because the default account which the attacker used doesn’t have full administrative privileges.
Cisco discovered all of these bugs during internal testing we can come to know by the below statement said by the Cisco advisory.
“A successful exploit may result in a complete compromise of the affected device. Customers are advised to apply a patch or upgrade to a version of the Cisco ISE software that resolves this vulnerability.” states the CISCO advisory.
So many software updates have issued by the Cisco company that fix all these vulnerabilities. To gain a remote access of any device configuration, an attacker can make use of the flaw.
Cisco Systems recently announced that they review their software running on their devices to check it against these kind of flaw. They would be searched for undocumented traffic diversions, undocumented account credentials, covert communication channels and backdoors, hardcoded.
In the wake of last month’s Juniper Kerfuffle, Cisco warned their users that some series of Aironet like 18302, 1830i, 1850e, and 1850i are vulnerable to both the hardcoded password vulnerability and the denial of service vulnerability.