Cisco patches wireless products shipped with hard-coded SSH passwords

News by Rene Millman

Cisco has put out a patch to its Cisco Aironet 1830 Series and Cisco Aironet 1850 Series Access Points running Cisco Mobility Express Software after it was discovered that the products has a flaw that could enable unauthenticated, remote attackers to take complete control of an affected device.

In an advisory, the company said that the vulnerability is due to the existence of default credentials for an affected device that is running Cisco Mobility Express Software, regardless of whether the device is configured as a master, subordinate, or standalone access point.

“An attacker who has layer 3 connectivity to an affected device could use Secure Shell (SSH) to log in to the device with elevated privileges. A successful exploit could allow the attacker to take complete control of the device,” it said.

The flaw affects Cisco Aironet 1830 Series and Cisco Aironet 1850 Series Access Points that are running an 8.2.x release of Cisco Mobility Express Software prior to Release 8.2.111.0, regardless of whether the device is configured as a master, subordinate, or standalone access point.

Cisco has made available updates to address the problem. It added that there was no workaround to the issue. It also said the advisory was “part of a collection” and that other advisories also existed for a Cisco Wireless LAN Controller 802.11 WME input validation denial of service vulnerability, a Cisco Wireless LAN Controller IPv6 UDP denial of service vulnerability, and a Cisco Wireless LAN Controller Management GUI denial of service vulnerability.

A Cisco spokesperson told SC Media UK that Cisco engineers identified a bug that could cause Cisco ASA and FTD devices running select versions of software to stop passing traffic.

“An immediate reboot can prevent deployed devices from being affected by this flaw in the near term, and a fix for affected versions will be released in the coming weeks. This is not a security vulnerability, and there is no risk to the integrity of the device,” they said.

Liviu Arsene, senior E-Threat analyst at Bitdefender, told SC that any company that has such devices in their infrastructure is highly encouraged to apply the latest security fixes that solve the issue, regardless if their devices are directly facing the internet or not.

“It's also recommended to always check the integrity and the security features of any new equipment that's connected to the company's infrastructure, as these issues can sometimes be spotted during the initial internal testing phases performed by IT admins,” he said.

Mark James, security specialist at ESET, told SC that having any type of hard coded credentials embedded into devices can of course lead to problems, and if they are admin-level then “you're just asking for trouble”.

“Many of these mistakes stem from old or redundant code that's not been changed or removed as security and cyber-criminals have evolved. The need for connectivity is paramount these days but the security of the device has to come first. Allowing devices to communicate with each other easily makes plug and play seem great but not when it's at the cost of yours or your company's private data,” he said.
Topics:

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events