Cisco sounds security alarm over WLAN controller vulnerabilities

Danger sign
24 Jan, 2013

Users of networking giant's WLAN product family urged to install software updates.

System administrators are being ordered to install software updates for their Cisco wireless LAN (WLAN) controllers following the discovery of multiple security vulnerabilities.

Networking titan Cisco has released a security advisory about the issue, which is known to affect 17 members of the firm’s WLAN controller product family, including several models that have now reached end-of-software maintenance.

A full list of the affected models can be found here.

The vulnerabilities include a Denial of Service (DoS) flaw, which affects connectors configured with a wireless intrusion prevention system, that could let hackers reload devices by sending specially crafted IP packets to them.

“Successful exploitation of the DoS vulnerabilities could allow an unauthenticated attacker to cause an affected device to reload. Repeated exploitation could result in a sustained DoS condition,” advised Cisco.

Another flaw, affecting the HTTP profiling feature of Cisco WLAN devices, could allow hackers to execute arbitrary code using a UserAgent string, Cisco warned.

“Only Cisco WLAN Connector software version is affected by this vulnerability, [and a] device is vulnerable only if the HTTP profiling feature is enabled,” said the company’s security advisory.

Meanwhile, a further vulnerability could provide attackers with unauthorised access to the device and allow them to modify its configuration, Cisco warned.

The company has released a series of free software updates to address these security holes, but said it had no reason to suggest that any of the reported vulnerabilities have been exploited by attackers.