The Cisco Wireless LAN Controller (WLC) product family is affected by these vulnerabilities: Two denial of service (DoS) vulnerabilities Three privilege escalation vulnerabilities Two access control list (ACL) bypass vulnerabilities Note: These vulnerabilities are independent of one another. A device may be affected by one vulnerability and not affected by another. Cisco has released software updates that address these vulnerabilities. There are no workarounds to mitigate these vulnerabilities. This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20100908-wlc.
The Cisco Wireless LAN Controller (WLC) product family is affected by these vulnerabilities:
Note: These vulnerabilities are independent of one another. A device may be affected by one vulnerability and not affected by another.
Cisco has released software updates that address these vulnerabilities.
There are no workarounds to mitigate these vulnerabilities.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20100908-wlc.
These products are each affected by at least one vulnerability covered in this Security Advisory:
The Cisco WLC product family is affected by two DoS vulnerabilities:
The IKE DoS vulnerability affects Cisco WLC software versions 3.2 and later. The HTTP DoS vulnerability affects Cisco WLC software versions 4.2 and later.
The privilege escalation vulnerabilities affect Cisco WLC software versions 4.2 and later.
One of the two ACL bypass vulnerabilities affects Cisco WLC software versions 4.1 and later. The second ACL bypass vulnerability affects Cisco WLC software versions 6.0.x.
Administrators can use these instructions to determine the software version that is running on the Cisco WLCs (using the web or command-line interface) or on the Cisco WiSM (using commands on the Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router).
To determine the WLC version that is running in a given environment, use one of these methods:
Note: Customers who use a Cisco WLC Module in an ISR will need to issue the
service-module wlan-controller
(Cisco Controller)> show sysinfo Manufacturer's Name.. Cisco Systems Inc. Product Name......... Cisco Controller Product Version...... 5.1.151.0 RTOS Version......... Linux-2.6.10_mvl401 Bootloader Version... 4.0.207.0 Build Type........... DATA + WPS
Use the show wism module
Router# show wism module 3 controller 1 status WiSM Controller 1 in Slot 3 Operational Status of the Controller : Oper-Up Service VLAN : 192 Service Port : 10 Service Port Mac Address : 0011.92ff.8742 Service IP Address : 192.168.10.1 Management IP Address : 192.168.1.123 Software Version : 5.1.151.0 Port Channel Number : 288 Allowed vlan list : 30,40 Native VLAN ID : 40 WCP Keep Alive Missed : 0
No other Cisco products are currently known to be affected by these vulnerabilities.
Cisco WLCs and Cisco WiSMs are responsible for system-wide wireless LAN functions, such as security policies, intrusion prevention, RF management, quality of service (QoS), and mobility.
These devices communicate with controller-based access points over any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the Lightweight Access Point Protocol (LWAPP) and the Control and Provisioning of Wireless Access Points (CAPWAP) protocol.
The Cisco WLC family of devices is affected by 2 denial of service vulnerabilities, 3 privilege escalation vulnerabilities, and 2 access control list bypass vulnerabilities. The following are the details about these vulnerabilities.
An attacker with the ability to send a malicious IKE packet to an affected Cisco WLC could cause the device to crash and reload. This vulnerability can be exploited from both wired and wireless segments.
Note: IKE is enabled by default in the WLC and cannot be disabled. Only traffic destined to the Cisco WLC could trigger this vulnerability. Transient traffic will not trigger this vulnerability.
This vulnerability is documented in Cisco Bug ID CSCta56653 ( registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-0574.
An authenticated attacker with the ability to send a series of malicious HTTP packets to an affected Cisco WLC could cause the device to reload. This vulnerability can be exploited from both wired and wireless segments. A TCP three-way handshake is needed in order to exploit this vulnerability.
Note: Only traffic destined to the Cisco WLC could trigger this vulnerability. Transient traffic will not trigger this vulnerability. WebAuth or guest access is not affected by this vulnerability.
This vulnerability is documented in Cisco Bug ID CSCtd16938 ( registered customers only) and has been assigned CVE ID CVE-2010-2841.
Three privilege escalation vulnerabilities exist in the Cisco WLCs that could allow an authenticated attacker with read-only privileges to modify the device configuration.
These vulnerabilities are documented in Cisco Bug IDs CSCtc91431 ( registered customers only) , CSCsz66726 ( registered customers only) , and CSCtc93837 ( registered customers only) ;and have been assigned CVE IDs CVE-2010-2842, CVE-2010-2843, and CVE-2010-3033.
ACLs can be configured in the Cisco WLCs and applied to data traffic to and from wireless clients or to all traffic that is destined for the controller CPU. After ACLs are defined, they can be applied to the management interface, the access point manager (AP-manager) interface, or any of the dynamic interfaces for client data traffic or to the Network Processing Unit (NPU) interface for traffic to the controller CPU. Two vulnerabilities exist in the Cisco WLCs that could allow an unauthenticated attacker to bypass policies that should be enforced by CPU-based ACLs. No other ACL types are affected by these vulnerabilities.
Note: CPU-based ACLs are configured and applied by navigating to Security > Access Control Lists > CPU Access Control Lists in the Cisco WLC web management interface. When CPU-based ACLs are enabled, they are applicable to both wireless and wired traffic.
These vulnerabilities are documented in Cisco Bug IDs CSCta66931 ( registered customers only) and CSCtf36051 ( registered customers only) ; and have been assigned CVE IDs CVE-2010-0575 and CVE-2010-3034.
There are no available workarounds to mitigate any of these vulnerabilities.
Additional mitigations that can be deployed on Cisco devices in the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20100908-wlc.
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable.
Vulnerability/Bug ID |
Affected Release |
First Fixed Version |
IKE DoS Vulnerability (CSCta56653) |
3.2 |
3.2.215.0 |
4.0 |
Vulnerable; Migrate to 4.2 |
|
4.1 |
Vulnerable; Migrate to 4.2 |
|
4.1M |
Vulnerable; Migrate to 4.2M |
|
4.2 |
4.2.205.0 |
|
4.2M |
4.2.207.54M |
|
5.0 |
Vulnerable; Migrate to 6.0 |
|
5.1 |
Vulnerable; Migrate to 6.0 |
|
5.2 |
5.2.193.11 |
|
6.0 |
6.0.188.0 |
|
7.0 |
Not Vulnerable |
|
HTTP DoS Vulnerability (CSCtd16938) |
3.2 |
Not Vulnerable |
4.0 |
Vulnerable; Migrate to 4.2 |
|
4.1 |
Not Vulnerable |
|
4.1M |
Not Vulnerable |
|
4.2 |
4.2.209.0 |
|
4.2M |
4.2.207.54M |
|
5.0 |
Vulnerable; Migrate to 6.0 |
|
5.1 |
Vulnerable; Migrate to 6.0 |
|
5.2 |
5.2.193.11 |
|
6.0 |
6.0.196.0 |
|
7.0 |
Not Vulnerable |
|
Privilege Escalation Vulnerabilities (CSCtc91431, CSCsz66726, and CSCtc93837) |
3.2 |
Not Vulnerable |
4.0 |
Vulnerable; Migrate to 4.2 |
|
4.1 |
Vulnerable; Migrate to 4.2 |
|
4.1 M |
Vulnerable; Migrate to 4.2M |
|
4.2 |
4.2.209.0 |
|
4.2M |
4.2.207.54M |
|
5.0 |
Vulnerable; Migrate to 6.0 |
|
5.1 |
Vulnerable; Migrate to 6.0 |
|
5.2 |
5.2.193.11 |
|
6.0 |
6.0.188.0 |
|
7.0 |
Not Vulnerable |
|
ACL Bypass Vulnerabilities (CSCta66931 and CSCtf36051) |
3.2 |
Not Vulnerable |
4.0 |
Not Vulnerable |
|
4.1 |
Not Vulnerable |
|
4.1M |
Not Vulnerable |
|
4.2 |
4.2.207.0 |
|
4.2M |
4.2.207.54M |
|
5.0 |
Vulnerable; Migrate to 6.0 |
|
5.1 |
Vulnerable; Migrate to 6.0 |
|
5.2 |
Not Vulnerable |
|
6.0 |
6.0.199.0 |
|
7.0 |
Not Vulnerable |
The "Recommended Release" table lists the releases which have fixes for all the published vulnerabilities at the time of this Advisory. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" table.
Affected Release |
Recommended Release |
3.2 |
3.2.215.0 |
4.0 |
Vulnerable; Migrate to 4.2 |
4.1 |
Vulnerable; Migrate to 4.2 |
4.1M |
Vulnerable; Migrate to 4.2M |
4.2 |
4.2.209.0 |
4.2M |
4.2.207.54M |
5.0 |
Vulnerable; Migrate to 6.0 |
5.1 |
Vulnerable; Migrate to 6.0 |
5.2 |
Non FIPS Customers migrate to 6.0 |
6.0 |
6.0.199.4 |
7.0 |
Not Vulnerable |
Note: Cisco WLC Software version 5.2.193.11 is a FIPS certified image. Customers not running FIPS images are recommended to migrate to Cisco WLC software 6.0.199.4 or later.
Customers running 4.1M with a mixture of LAP1505/LAP1510 and LAP1522/LAP1524 units will need to refer to the Mesh and Mainstream Releases on the Controller section of the document Cisco Wireless Mesh Access Points, Design and Deployment Guide, Release 7.0.
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory.
These vulnerabilities were found during internal testing and during the troubleshooting of customer service requests.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Revision 1.1 |
2010-September-09 |
Added information for Release 4.0. |
Revision 1.0 |
2010-September-08 |
Initial public release. |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.