Cisco patched critical bugs; would allow device takeover
Cisco patched multiple vulnerabilities, two critical, affecting its wireless LAN Controller software, Identity Services Engine software, and Aironet access points.
Cisco patched multiple vulnerabilities affecting its wireless LAN Controller software, Identity Services Engine software, and Aironet access points. Two of the vulnerabilities are considered critical – including a bug that the United States Computer Emergency Readiness Team (US-CERT) warned could be exploited by a remote attacker to take over devices and an access point hardcoded password.
The wireless LAN Controller software vulnerability (CVE-2015-6314) is the most serious, affecting the 8500 series or earlier. It could allow remote attackers to alter device configurations and completely take over affected devices.
Cisco's Identity Services Engine software has two vulnerabilities. The more significant vulnerability (CVE-2015-6323) could allow attackers to gain administrative access to the device. The other Identity Services Engine flaw (CVE-2015-6317) could be exploited by an attacker to access “specific web resources” intended for administrators.
The Aironet vulnerability (CVE-2015-6336), a hard-coded fixed password that grants access to the device, affects Cisco's 1830e, 1830i, 1850e and 1850i access points. There are no workarounds to the Aironet flaw.