Overview
A default account with a common username and password exists in two Cisco products. An attacker with knowledge of this account information can compromise any of these devices on the network.
Description
A default account with a known, fixed username and password combination exists in some version of the Cisco Wireless LAN Solution Engine (WLSE) and Cisco Hosting Solution Engine (HSE). The WLSE provides centralized management for Cisco Wireless LAN infrastructures. The HSE is a hardware-based product that provides fault and performance information about the Layer 2-3 hosting infrastructure and Layer 4-7 hosted services. According to the Cisco Security Advisory: |
Impact
An attacker with knowledge of default account information and the ability to access a vulnerable device may take administrative control of the device. Immediate impacts of this level of access include, but are not limited to, the ability to add new users or modify details of existing users, and the ability change the device's configuration. Cisco lists the following practical examples of impacts resulting from exploitation:
|
Solution
Apply a patch from the vendor |
Workarounds
|
Vendor Information
CVSS Metrics
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
References
Acknowledgements
Thanks to Cisco Systems Product Security Incident Response Team for reporting this vulnerability.
This document was written by Chad R Dougherty.
Other Information
CVE IDs: | None |
Severity Metric: | 18.23 |
Date Public: | 2004-04-07 |
Date First Published: | 2004-04-07 |
Date Last Updated: | 2004-04-23 00:07 UTC |
Document Revision: | 19 |