Cisco Wireless EoL, EoS and Security Advisories – Nov 2014

Here are some of the end-of-sale, end-of-life and vulnerabilities announcements regarding Cisco Wireless for the last month. Riveting reading material!

Note: Use the links to view the table info mentioned in the post.

End-of-Sale and End-of-Life Announcement for the Cisco Wireless Control System

Cisco announces the end-of-sale and end-of-life dates for the Cisco Wireless Control System. The last day to order the affected product(s) is May 6, 2015. Customers with active service contracts will continue to receive support from the Cisco Technical Assistance Center (TAC) as shown in Table 1 of the EoL bulletin. Table 1 describes the end-of-life milestones, definitions, and dates for the affected product(s). Table 2 lists the product part numbers affected by this announcement. For customers with active and paid service and support contracts, support will be available under the terms and conditions of customers’ service contract.

End-of-Sale and End-of-Life Announcement for the Cisco Prime Network Control System Series Appliances

Cisco announces the end-of-sale and end-of-life dates for the Cisco Prime Network Control System Series Appliances. The last day to order the affected product(s) is May 6, 2015. Customers with active service contracts will continue to receive support from the Cisco Technical Assistance Center (TAC) as shown in Table 1 of the EoL bulletin. Table 1 describes the end-of-life milestones, definitions, and dates for the affected product(s). Table 2 lists the product part numbers affected by this announcement. For customers with active and paid service and support contracts, support will be available under the terms and conditions of customers’ service contract.

End-of-Sale and End-of-Life Announcement for the Cisco Prime Infrastructure 1.x

Cisco announces the end-of-sale and end-of-life dates for the Cisco Prime Infrastructure 1.x. The last day to order the affected product(s) is May 6, 2015. Customers with active service contracts will continue to receive support from the Cisco Technical Assistance Center (TAC) as shown in Table 1 of the EoL bulletin. Table 1 describes the end-of-life milestones, definitions, and dates for the affected product(s). Table 2 lists the product part numbers affected by this announcement. For customers with active and paid service and support contracts, support will be available under the terms and conditions of customers’ service contract.

End-of-Sale and End-of-Life Announcement for the Cisco Prime Network Control System 1.x

Cisco announces the end-of-sale and end-of-life dates for the Cisco Prime Network Control System 1.x. The last day to order the affected product(s) is May 6, 2015. Customers with active service contracts will continue to receive support from the Cisco Technical Assistance Center (TAC) as shown in Table 1 of the EoL bulletin. Table 1 describes the end-of-life milestones, definitions, and dates for the affected product(s). Table 2 lists the product part numbers affected by this announcement. For customers with active and paid service and support contracts, support will be available under the terms and conditions of customers’ service contract.

Cisco Unified IP Phone Local Kernel System Call Input Validation Vulnerability

Cisco Unified IP Phones 7900 Series versions 9.3(1)SR1 and prior contain an arbitrary code execution vulnerability that could allow a local attacker to execute code or modify arbitrary memory with elevated privileges. This vulnerability is due to a failure to properly validate input passed to kernel system calls from applications running in userspace. An attacker could exploit this issue by gaining local access to the device using physical access or authenticated access using SSH and executing an attacker-controlled binary that is designed to exploit the issue. Such an attack would originate from an unprivileged context. Ang Cui initially reported the issue to the Cisco Product Security Incident Response Team (PSIRT). On November 6, 2012, the Cisco PSIRT disclosed this issue in Cisco bug ID CSCuc83860 (registered customers only) Release Note Enclosure. Subsequently, Mr. Cui has spoken at several public conferences and has performed public demonstrations of a device being compromised and used as a listening device. Mitigations are available to help reduce the attack surface of affected devices. See the &quo;Details&quo; section of this security advisory and the accompanying Cisco Applied Mitigation Bulletin (AMB) for additional information. Update (November 3rd, 2014): Updated software that resolves the vulnerability described in this document has been released.  This release is generally available and can be downloaded from the product-specific support areas on Cisco.com. The release version is 9.4(2). This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130109-uipphone

Cisco Prime Infrastructure Command Execution Vulnerability

A vulnerability in Cisco Prime Infrastructure could allow an authenticated, remote attacker to execute arbitrary commands with root-level privileges. The vulnerability is due to improper validation of URL requests. An attacker could exploit this vulnerability by requesting an unauthorized command via a specific URL. Successful exploitation could allow an authenticated attacker to execute system commands with root-level privileges. Cisco has released free software updates that address this vulnerability. A software patch that addresses this vulnerability in all affected versions is also available. Workarounds that mitigate this vulnerability are not available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140226-pi

Cisco Wireless Control System Conversion Utility Adds Default Password

Customers with the CiscoWorks Wireless LAN Solution Engine (WLSE) may use a conversion utility to convert over to a Cisco Wireless Control System (WCS). This conversion utility creates and uses administrative accounts with default credentials. As there is no requirement to change those credentials during the conversion process, an attacker may be able to leverage these accounts with default credentials to take full administrative control of the WCS after the conversion has completed.
Customers who have converted their CiscoWorks WLSE to a Cisco WCS are advised to set strong passwords for all accounts on their Cisco WCS.

Cisco Wireless Control System Tomcat mod_jk.so Vulnerability

Apache Tomcat is the servlet container for JavaServlet and JavaServer Pages Web within the Cisco Wireless Control System (WCS). A vulnerability exists in the mod_jk.so URI handler within Apache Tomcat which, if exploited, may result in a remote code execution attack. This advisory is posted at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080130-wcs

Multiple Vulnerabilities in Cisco Wireless LAN Controllers

Multiple vulnerabilities exist in the Cisco Wireless LAN Controller (WLC) platforms. This security advisory outlines the details of the following vulnerabilities: Malformed HTTP or HTTPS authentication response denial of service vulnerability SSH connections denial of service vulnerability Crafted HTTP or HTTPS request denial of service vulnerability Crafted HTTP or HTTPS request unauthorized configuration modification vulnerability Cisco has released free software updates that address these vulnerabilities. This advisory is posted at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090727-wlc

SQL Injection Vulnerability in Cisco Wireless Control System

Cisco Wireless Control System (WCS) contains a SQL injection vulnerability that could allow an authenticated attacker full access to the vulnerable device, including modification of system configuration; create, modify and delete users; or modify the configuration of wireless devices managed by WCS. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability.

Advertisements
Cisco Wireless EoL, EoS and Security Advisories – Nov 2014

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s