[NEWS] Default Password in Wireless Location Appliance

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Default Password in Wireless Location Appliance
------------------------------------------------------------------------


SUMMARY

The Cisco Wireless Location Appliance software contains a default password
for the 'root' administrative account. A user who logs in using this
username has complete control of the device.

This password is the same in all installations of the product prior to
version 2.1.34.0 when shipped as part of a new product purchase. This
vulnerability still exists on upgraded installations unless explicit steps
have been taken to change the password after the initial installation of
the product.

DETAILS

Affected Products:
This vulnerability affects Cisco 2700 Series Wireless Location Appliances
shipped with versions prior to 2.1.34.0.

The version of software on the Wireless Location Appliance can be
determined in one of three ways.

From the command line the version can be determined with the getserverinfo
command. The version is contained in the first five lines of output which
will look similar to the following output from a device running version
1.1.73.0:

-------------
Server Config
-------------
Product name: Cisco Wireless Location Appliance
Version: 1.1.73.0

Another way to get the version from the command line is to view the file
/opt/locserver/conf/version.txt. For a WLA running version 2.0.42.0, the
contents of that file should be similar to:

[root@locserv /]# cat /opt/locserver/conf/version.txt
#Tue Jan 31 11:08:35 PST 2006
build.number=42
minor.number=0
patch.number=0
major.number=2
branch.name=HOT
product.name=Cisco Wireless Location Appliance

The version is simply obtained by assembling the numbers beginning with
the "major.number" followed by "minor.number", "build.number" and
"patch.number" in that order with each number separated by a period.

Lastly, the version may be obtained via the web interface on a Cisco
Wireless Control System (WCS) for any Location Appliances which are
configured on it. Browsing to the "Locations" tab and clicking on
"Location Servers" in the resulting menu will give a list of Location
Appliances with their corresponding versions under the "Versions" column.

No other products are known to be vulnerable.

Details:
The Cisco Wireless Location Appliance (WLA) uses RF fingerprinting
technology to simultaneously track 802.11 wireless devices from directly
within a WLAN infrastructure. By design, the Cisco Wireless Location
Appliance is directly integrated into the WLAN infrastructure using Cisco
wireless LAN controllers and Cisco Aironet lightweight access points to
track the physical location of wireless devices.

The Cisco Wireless Location Appliance can be managed via a virtual
terminal (standard keyboard and monitor attached directly to the
appliance), a local serial console, remote SSH connections, and/or remote
secure web sessions. A special administrative account is provided so that
certain management, troubleshooting tasks, and basic initial setup can be
performed.

The default username for administrator login is "root" (without the
quotes), and the default password is "password" (without the quotes). Both
the username and password are case sensitive.

This issue has been addressed in fixed versions of software by prompting
the user to change the password on the root account during the appliance
setup installation. This only applies to new WLA devices shipped initially
with a non-vulnerable version of software for the initial installation.
Previous versions of software which have been upgraded will not prompt the
user to change the password for the root user during the upgrade.

Impact:
Successful exploitation of the vulnerability may result in a remote
attacker gaining full administrative control of the device.

Software Version and Fixes:
This vulnerability is fixed in versions
<http://www.cisco.com/pcgi-bin/tablebuild.pl/2700_series_Wireless_Location_Appliance?psrtdcat20e2> 2.1.34.0 and later when shipped on new devices for initial installation of the Cisco Wireless Location Appliance software.

When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the devices
to be upgraded contain sufficient memory and that current hardware and
software configurations will continue to be supported properly by the new
release. If the information is not clear, contact the Cisco Technical
Assistance Center ("TAC") or your contracted maintenance provider for
assistance.

Workarounds:
The vulnerability described in this document can be eliminated by logging
in to the affected WLA and changing the default password for the
administrative root account to a strong password chosen by the user.

If the password has not previously been changed, the default username for
the administrator login is "root" (without the quotes), and the default
password is "password" (without the quotes). Both the username and
password are case sensitive. After successfully logging in to the WLA as
root, the default password may be changed by running the passwd command.

A reboot is not required for the new password to take effect, so network
operations will not be disrupted.

Obtaining Fixed Software:
Cisco will make free software available to address this vulnerability for
affected customers. This advisory will be updated as fixed software
becomes available. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature sets they
have purchased. By installing, downloading, accessing or otherwise using
such software upgrades, customers agree to be bound by the terms of
Cisco's software license terms found at
<http://www.cisco.com/public/sw-license-agreement.html>
http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set
forth at Cisco.com Downloads at
<http://www.cisco.com/public/sw-center/sw-usingswc.shtml>
http://www.cisco.com/public/sw-center/sw-usingswc.shtml


ADDITIONAL INFORMATION

The information has been provided by <mailto:psirt@xxxxxxxxx> Cisco
Systems Product Security Incident Response Team.
The original article can be found at:
<http://www.cisco.com/warp/public/707/cisco-sa-20061012-wla.shtml>
http://www.cisco.com/warp/public/707/cisco-sa-20061012-wla.shtml



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.