search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Cisco Access Point Web Browser Interface contains a vulnerability

Vulnerability Note VU#544484

Original Release Date: 2006-06-29 | Last Revised: 2006-07-04

Overview

A vulnerability in the HTTP management interface for some configurations of Cisco wireless access points could allow a remote attacker to take complete control over the affected device.

Description

Cisco wireless access points allow administrators to create more than one set of authentication credentials (local user list) for the HTTP management interface of their access points. If this feature is enabled on one of the systems affected by this vulnerability, the access point will be automatically reconfigured with no security, and no user credentials will be required to access the access point's HTTP or console port interface.

Systems Affected

According to Cisco, the following models of access points running IOS versions 12.3(8)JA or 12.3(8)JA1 are vulnerable:

    • 350 Wireless Access Point and Wireless Bridge
    • 1100 Wireless Access Point
    • 1130 Wireless Access Point
    • 1200 Wireless Access Point
    • 1240 Wireless Access Point
    • 1310 Wireless Bridge
    • 1410 Wireless Access Point

Note that Cisco says that access points configured with a non-vulnerable version of IOS, then upgraded to a vulnerable version, are not affected unless the device's configuration has been changed.

Impact

A remote or local unauthenticated user could gain complete control over an affected access point.

Solution

Upgrade
Apply the upgrade supplied by Cisco.


Workarounds

Do not Enable Local User List

Do not enable the local user list, and use the default authentication option instead.

Disable or Restrict HTTP Access

Disable the HTTP server or restrict network access to it. Note that the web interface may also be listening on port 443/tcp. If the HTTP server is not enabled, the local user list feature can safely be configured via the command line interface.

See the workarounds section of Cisco security advisory cisco-sa-20060628-ap for detailed information on how to implement these workarounds.

Vendor Information

544484
 
Expand all

Cisco Systems, Inc. Affected

Updated:  June 29, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Cisco has released security advisory cisco-sa-20060628-ap to address this vulnerability.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

http://www.cisco.com/warp/public/707/cisco-sa-20060628-ap.shtml

Acknowledgements

Thanks to Cisco Product Security for reporting this vulnerability.

This document was written by Ryan Giobbi.

Other Information

CVE IDs: CVE-2006-3291
Date Public: 2006-06-28
Date First Published: 2006-06-29
Date Last Updated: 2006-07-04 12:08 UTC
Document Revision: 28

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis