SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Device (Router/Bridge/Hub)  >   Cisco Hosting Solution Engine Vendors:   Cisco
Cisco Hosting Solution Engine (HSE) Hardcoded User Account Grants Full Access to Remote Users
SecurityTracker Alert ID:  1009695
SecurityTracker URL:  http://securitytracker.com/id/1009695
CVE Reference:   CAN-2004-0391   (Links to External Site)
Updated:  May 12 2004
Original Entry Date:  Apr 7 2004
Impact:   Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.7, 1.7.1, 1.7.2, and 1.7.3
Description:   A vulnerability was reported in the Cisco Hosting Solution Engine (HSE) software. A remote user can access a built-in user account to gain full control over the device.

Cisco reported that the HSE software includes a hardcoded username and password value that cannot be disabled. A remote user can login using this authentication data to gain full control of the target device.

Cisco has assigned Bug ID CSCsa11584 to this vulnerability.
Impact:   A remote user can login to the device to gain full control over the device.
Solution:   Cisco has released a patch. For HSE, install the HSE-1.7.x-CSCsa11584.zip patch on HSE 1105 versions 1.7, 1.7.1, 1.7.2, or 1.7.3. The patch is available at:

http://www.cisco.com/pcgi-bin/tablebuild.pl/1105-host-sol
Vendor URL:  www.cisco.com/warp/public/707/cisco-sa-20040407-username.shtml (Links to External Site)
Cause:   Configuration error
Underlying OS:  

Message History:   None.

 Source Message Contents
Date:  Wed, 07 Apr 2004 12:00:37 -0400
Subject:  http://www.cisco.com/warp/public/707/cisco-sa-20040407-username.shtml


http://www.cisco.com/warp/public/707/cisco-sa-20040407-username.shtml

 > Cisco Security Advisory: A Default Username and Password in WLSE and HSE Devices
 > Document ID: 50400
 > Revision 1.0

 > For Public Release 2004 April 07 1600 UTC (GMT)

Cisco reported that the Wireless LAN Solution Engine (WLSE) and Hosting Solution Engine 
(HSE) software includes a hardcoded username and password value that cannot be disabled. 
A remote user can login using this authentication data to gain full control of the target 
device.

WLSE versions 2.0, 2.0.2, and 2.5 are affected.

HSE versions 1.7, 1.7.1, 1.7.2, and 1.7.3 are affected.

Cisco has assigned Bug ID CSCsa11583 for the WLSE bug and CSCsa11584 for the HSE bug to 
this vulnerability.

Cisco has released the following fixes.

For WLSE, install the WLSE-2.x-CSCsa11583-K9.zip patch on WLSE 1130 versions 2.0, 2.0.2, 
or 2.5.  The patch is available at:

http://www.cisco.com/pcgi-bin/tablebuild.pl/wlan-sol-eng

For HSE, install the HSE-1.7.x-CSCsa11584.zip patch on HSE 1105 versions 1.7, 1.7.1, 
1.7.2, or 1.7.3.  The patch is available at:

http://www.cisco.com/pcgi-bin/tablebuild.pl/1105-host-sol


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC