Overview

The end of 2015 posed a busy backdoor day for Cisco engineers, as four major vulnerabilities, CVE-2015-6314, CVE-2015-6317, CVE-2015-6323 and CVE-2015-6336 were published and later patched in mid-January 2016.

In late December 2015, Cisco announced in a security blog an Update for Customers, explaining an additional code review and penetration testing to address public concern after the Juniper ScreenOS Vulnerabilities. Cisco’s efforts seemed to pay off with four vulnerabilities posted on January 13, 2016 in the Cisco Security Advisory and Responses.

Impact

The Cisco Security Advisory points out all four vulnerabilities have no possible workarounds. The Cisco Exploitation and Public Announcements states for the four vulnerabilities, “The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.”

The four backdoors cover several Wireless Controllers, Access Points and the Identity Services Engine. Below is an outline organized by CVE and lists the devices affected.

  • CVE-2015-6314
    • Cisco 2500 Series Wireless Controllers
    • Cisco 5500 Series Wireless Controllers
    • Cisco 8500 Series Wireless Controllers
    • Cisco Flex 7500 Series Wireless Controllers
    • Cisco Virtual Wireless Controllers
  • CVE-2015-6317 & CVE-2015-6323
    • Cisco Identity Services Engine
      • Vulnerable Versions
        • 1.1 or later
        • 1.2.0 prior to patch 17
        • 1.2.1 prior to patch 8
        • 1.3 prior to patch 5
        • 1.4 prior to patch 4
    • Cisco Identity Services Engine Express
  • CVE-2015-6336
    • Cisco Aironet 1830e Series Access Point
    • Cisco Aironet 1830i Series Access Point
    • Cisco Aironet 1850e Series Access Point
    • Cisco Aironet 1850i Series Access Point

The critical Cisco Wireless LAN Controller Unauthorized Access Vulnerability CVE-2015-6314 could allow an unauthenticated remote attacker ability to modify configurations.The medium-rated Cisco Identity Services Engine Unauthorized Access Vulnerability CVE-2015-6317 applies to versions prior to 2.0 and allows a low-privileged authenticated remote attacker access to particular web resources intended only for administrative users.

The critical Cisco Identity Services Engine Unauthorized Access Vulnerability CVE-2015-6323, with access to the Admin portal, can allow an attacker administrative access to the device.

The high-rated Cisco Aironet 1800 Series Access Point Default Static Account Credentials Vulnerability CVE-2015-6336 could be accessed with non-administrative privileges using a default account that has a static password. The default account is created when the device is installed.

Remediation

With no workarounds and the levity of these backdoors, it is important patch as soon as possible.

For Cisco WLCs, the Cisco Security Advisory (id cisco-sa-20160113-wlc) recommends upgrading to an appropriate release indicated in the table below.

Cisco WLC Major Release First Fixed Release CVE-2015-6314
7.6 Contact Cisco TAC
8.0 8.0.121.0
8.1 8.1.131.0

 

Both Cisco Security Advisory (id: cisco-sa-20160113-ise2) and Cisco Security Advisory (id: cisco-sa-20160113-ise) recommends upgrading to Cisco Identity Services Engine 2.0 or above.

The Cisco Security Advisory (id cisco-sa-20160113-air) recommends upgrading to version 8.1.131.0 or later for the Aironet 1800 Series Access Points.

GuidePoint Security is available to assist our customers with any remediation efforts. Please contact your Account Executive or click here for more details on how GuidePoint can help.

About GuidePoint Security

GuidePoint Security LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.