Cisco Wireless Bugs--Deja Vu?

This month Cisco Systems announced multiple security vulnerabilities in its Wireless Control System that appear similar to past problems affecting Cisco's Wireless LAN Solution Engine. The irony? WCS makes WLSE obsolete for customers who want to migrate to the new lightweight AP architecture. WLSE is the monitoring/configuration manager appliance for Cisco's older, "fat" AP topology.

Cisco acquired WCS with its 2005 purchase of Airespace, a company that led the march away from autonomous wireless APs in favor of "thin" wireless hardware that gets its smarts from controller appliances. The WCS acts as the manager for the whole system.

This April, bugs were found in WLSE that allowed a cross-site-scripting attack to yield admin privileges on the box, and a separate fault exposed the underlying OS. In 2004, an irremovable admin ID and password were made public. In each case, fixes required new code. The new bugs in the WCS system include yet another hard-coded default user name and password, as well as ways of exploiting different modules in the system OS and applications.

IT needs to stay even more vigilant to code quirks in sexy new wireless hardware than we did with the old stuff. In the case of WCS, flaws may come with even stiffer penalties because companies with a centrally controlled architecture arguably have more to lose should that central component be compromised. -- Lee Badman, [email protected]