4/16/2007 -- Cisco Systems Inc. last week warned of a vulnerability in its Cisco Wireless LAN Controllers (WLC) that could give unauthenticated remote attackers access to compromised systems. Cisco said the new vulnerability is only moderately serious, however.

The flaw affects WLC versions 4.0.206.0 (and earlier) and 3.2.185.0 (and earlier), which ship configured with insecure default SNMP credentials.

The attack itself is fairly straightforward, according to a Security Advisory which Cisco posted last week: A remote attacker can use SNMP community strings to connect directly to a vulnerable WLC device (typically, via port 161); once connected, the attacker can perpetrate an unidentified exploit in order to gain access to the device. From there, the attacker can view or make changes to the WLC configuration. In some cases, Cisco officials acknowledged, an attacker could gain complete control over a compromised device.

Code to exploit the SNMP vulnerability does exist, Cisco confirmed, but there's no evidence yet of public attacks, targeted or otherwise.

The vulnerability affects not only Cisco's Wireless LAN Controllers (the 4400 and 2100 Series, as well as the WLC Module), but also its wireless integrated Catalyst switches -- including the Wireless Services Module (WiSM) that ships with the Catalyst 6500 Series, along with the WLC that's embedded in Cisco's Catalyst 3750 Series. Also affected are Cisco's WLC Module and its Aironet 1000 and 1500 Series Wireless Access Points.

Cisco hasn't yet developed a software update. Instead, officials urge network admins to change their default SNMP community string values and to restrict network access to affected systems using IP-based ACLs.

Cisco also published a document that offers more information and additional workarounds. --Stephen Swoyer