CVE-2006-3291

Vulnerability

The web interface on Cisco IOS versions 12.3(8)JA and 12.3(8)JA1, as used on several wireless access point and bridge models (350, 1100, 1130, 1200, 1240, 1310, 1410), contains a logic flaw. When the authentication setting is changed to "Local User List Only (Individual Passwords)", the device automatically reconfigures itself, removing all security and password configurations. Devices upgraded from a non-vulnerable IOS version to a vulnerable one are unaffected unless the configuration is subsequently changed [1][2].

Exploitation

An attacker must have network access to the device's HTTP management interface (typically ports 80 or 443). The vulnerability is triggered when the "Local User List Only (Individual Passwords)" option is enabled—either by an administrator or by an attacker who has already obtained administrative access. Once enabled, the device clears all authentication requirements, allowing any subsequent remote (or local) attacker to access the web interface and console port without credentials [1].

Impact

A remote unauthenticated attacker can gain complete control over the affected access point. This includes the ability to modify configuration, monitor or redirect network traffic, and potentially pivot to other devices on the network. The compromise is total and can be achieved without any prior authentication [1].

Mitigation

Cisco has released fixed IOS versions to address this vulnerability. Users should upgrade to a non-vulnerable version as specified in the Cisco security advisory [2]. As a workaround, do not enable the "Local User List Only" setting; instead, use the default authentication method. Additionally, disabling the HTTP server or restricting network access to the management interface (e.g., via ACLs) can prevent exploitation until an upgrade is applied [1].