1 min read

Vulnerabilities in Cisco Gear Enable Remote Control and Reload Loops

Liviu ARSENE

April 06, 2017

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Vulnerabilities in Cisco Gear Enable Remote Control and Reload Loops

A critical vulnerability involving the existence of default credentials in two Cisco access points, Aironet 1830 Series and Cisco Aironet 1850 Series, could allow an unauthenticated attacker to remotely seize control of affected devices.

Leveraging layer 3 connectivity – knowing the device”s IP address – an attacker could rely on a secure shell to remotely access the devices by exploiting the Cisco Mobility Express Software vulnerability found on the two devices. This would allow complete control over the devices and the attacker could perform any activity that an administrator would.

“This vulnerability affects Cisco Aironet 1830 Series and Cisco Aironet 1850 Series Access Points that are running an 8.2.x release of Cisco Mobility Express Software prior to Release 8.2.111.0, regardless of whether the device is configured as a master, subordinate, or standalone access point,” reads the advisory.

A second vulnerability, this time affecting the web management interface of Cisco Wireless LAN Controller (WLC) Software, could enable an attacker to access a hidden URL to the web interface and cause the device to reboot. With the vulnerability rated as “high”, this attack could result in a denial of service condition that could render the device inoperable.

“The vulnerability is due to a missing internal handler for the specific request,” reads the Cisco advisory. “An attacker could exploit this vulnerability by accessing a specific hidden URL on the web management interface.”

Fixes for the two vulnerabilities have already been issued, and those affected are encouraged to apply them as soon as possible. While it”s unclear if and such exploits have been successful in-the-wild, companies that own the affected hardware models need to take precautions.

tags


Author


Liviu ARSENE

Liviu Arsene is the proud owner of the secret to the fountain of never-ending energy. That's what's been helping him work his everything off as a passionate tech news editor for the past few years.

View all posts

You might also like

Bookmarks


loader