Cisco fixes hard-coded password 'backdoor' flaw in Wi-Fi access points

Two of the vulnerabilities were considered 'critical," allowing an attacker to take complete over an affected device.
Written by Zack Whittaker, Contributor

Cisco network administrators have been advised to update some wireless access point devices following the discovery of two "critical" vulnerabilities.

The company said its Aironet 1800-series devices includes a "critical" vulnerability that would effectively allow an attacker to walk in with backdoor access.

In an advisory posted late Tuesday, Cisco explained the flaw is "due to the presence of a default user account that is created when the device is installed," but added that the account does not have full administrative rights.

"An attacker could exploit this vulnerability by logging in to the device by using the default account, which could allow the attacker to gain unauthorized access to the device," the advisory read.

The company disclosed another flaw, rated "critical," in some versions of Cisco's Identity Services Engine (ISE), which could allow a remote attacker attackers to gain unauthorized access to the device's administrative portal.

An attacker exploiting the flaw could conduct a "complete compromise" of the affected device.

Another flaw affecting the Identity Services Engine was rated "medium" in severity, and allows a remote attacker access to "specific web resources" for administrators.

Cisco released a fourth patch affecting its Wireless LAN Controller, which if exploited could also allow an attacker to "compromise the device completely."

Affected devices include Cisco 2500-series, 550-series, 8500-series, and Flex 7500-series devices, and virtual wireless controllers -- among other devices.

All of the flaws were discovered in-house by Cisco engineers, the advisories said, indicating that the flaws may have not been publicly known.

The patches land hot on the heels of a code review which the network equipment maker said it would carry out in the wake of the Juniper "unauthorized code" backdoor fiasco.

The National Security Agency was accused of planting a backdoor in the company's ScreenOS software, which runs a number of the network equipment devices it sells. The backdoor was placed in part because the company used a modified cryptographic algorithm that was known to have been weakened by the US intelligence agency.

Editorial standards