Cisco Wireless Control System Privilege Escalation Vulnerability

Cisco Wireless Control System (WCS) versions prior to 4.0.87.0 contains a vulnerability that could allow an authenticated, remote attacker to gain escalated privileges on the affected system.

This vulnerability exists due to insufficient access controls on the Cisco WCS configuration page used to assign group membership. An authenticated, remote attacker could exploit this vulnerability by accessing this page and adding their account to the SuperUsers group. This grants the attacker full privileges in the WCS application, allowing the attacker to control all devices managed by the WCS.

Cisco has confirmed this vulnerability and released software updates.

To exploit this vulnerability, an attacker must authenticate to the WCS. No additional credentials are required. As a result of the vulnerability described in Alert 13036, any authenticated user level access to the WCS is sufficient to access some WCS configuration pages without the need for further authentication. This vulnerability relates specifically to the ability to access a WCS configuration page that can be used to add an application user to an application group. Because of this vulnerability, it is possible for any WCS user to add their user account to the SuperUsers group. The attacker must also know the correct URL to enter to reach the vulnerable page, however. This reduces the likelihood of an
attack somewhat, although an attacker who is familiar with the WCS product would have little trouble locating the correct page.