Multiple Vulnerabilities in Cisco Wireless LAN Controllers

Summary

• The Cisco Wireless LAN Controller (WLC) product family is affected by the following vulnerabilities:
  

  • Cisco Wireless LAN Controller Denial of Service Vulnerability
  • Cisco Wireless LAN Controller Unauthorized Access to Associated Access Points Vulnerability
  • Cisco Wireless LAN Controller IGMP Version 3 Denial of Service Vulnerability
  • Cisco Wireless LAN Controller MLDv2 Denial of Service Vulnerability
  • Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability
  • Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability

  
  Cisco has released software updates that address these vulnerabilities.
  
  This advisory is available at the following link:
  http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140305-wlc

Affected Products

• The Cisco WLC product family is affected by multiple vulnerabilities. Affected versions of Cisco WLC Software vary depending on the specific vulnerability.

  Vulnerable Products

  For specific version information, see the "Software Versions and Fixes" section of this advisory.
  At least one of the vulnerabilities covered in this security advisory affects each of the following products:
  
  

  Stand Alone Controllers

  • Cisco 500 Series Wireless Express Mobility Controllers
  • Cisco 2000 Series Wireless LAN Controllers
  • Cisco 2100 Series Wireless LAN Controllers
  • Cisco 2500 Series Wireless Controllers
  • Cisco 4100 Series Wireless LAN Controllers
  • Cisco 4400 Series Wireless LAN Controllers
  • Cisco 5500 Series Wireless Controllers
  • Cisco Flex 7500 Series Wireless Controllers
  • Cisco 8500 Series Wireless Controllers
  • Cisco Virtual Wireless Controller

  Modular Controllers

  • Cisco Catalyst 6500 Series/7600 Series Wireless Services Module (Cisco WiSM)
  • Cisco Wireless Services Module version 2 (WiSM2)
  • Cisco NME-AIR-WLC Module for Integrated Services Routers (ISRs)
  • Cisco NM-AIR-WLC Module for Integrated Services Routers (ISRs)
  • Cisco Catalyst 3750G Integrated WLC
  • Cisco Wireless Controller Software for Services-Ready Engine (SRE) *

  * Covers the Integrated Services Module 300 and Cisco Services-Ready Engine 700, 710, 900, and 910 products.
  
  Note: The Cisco 2000 Series WLC, Cisco 4100 Series WLC, Cisco NM-AIR-WLC, and Cisco 500 Series Wireless Express Mobility Controllers, have reached end-of-software maintenance. The following table includes the end-of-life document URL for each model:
  
  
  

  Model	End of Life Document URL
  Cisco 2000 Series WLC	http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps6308/prod_end-of-life_notice0900aecd805d22b0.html
  Cisco NM-AIR-WLC Modules for ISR	http://www.cisco.com/en/US/prod/collateral/modules/ps2797/prod_end-of-life_notice0900aecd806aeb34.html
  Cisco 500 Series Wireless Express Mobility Controllers	http://www.cisco.com/en/US/prod/collateral/wireless/ps7306/ps7320/ps7339/end_of_life_c51-568040.html

  To determine the Cisco WLC Software version that is running in a given environment, use one of the following methods:

  In the web interface, choose the Monitor tab, click Summary in the left pane, and note the Software Version field.
  
  In the command-line interface, issue the show sysinfo command as shown in the following example:
  

  (Cisco Controller)> show sysinfo
  
  Manufacturer's Name.............................. Cisco Systems Inc.
  Product Name..................................... Cisco Controller
  Product Version.................................. 7.4.121.0
  Bootloader Version............................... 1.0.16
  Field Recovery Image Version..................... 7.0.112.21
  Firmware Version................................. FPGA 1.7, Env 1.8, USB console 2.2
  

  Cisco Wireless LAN Controller Denial of Service Vulnerability

  To determine if the WebAuth feature has been enabled issue the show wlan command (X=wlan ID) for each of the configured wireless networks. The following example shows the feature enabled:
  

  Web Based Authentication...................... Enabled

  Cisco Wireless LAN Controller IGMP Version 3 Denial of Service Vulnerability

  To determine if the IGMPv3 feature has been enabled issue the show network summary command. The following example shoes the feature enabled:
  

  IGMP snooping............................... Enabled
  
  

  Cisco Wireless LAN Controller MLDv2 Denial of Service Vulnerability

  To determine if the MLDv2 feature has been enabled issue the show network summary command. The following example shows the feature enabled:
  

  MLD snooping............................... Enabled

  
  

  Summary Table:

  	4.x	5.x	6.x	7.0	7.1	7.2	7.3	7.4	7.5	7.6
  Cisco Wireless LAN Controller Denial of Service Vulnerability CVE-2014-0701				X		X	X	X
  Cisco Wireless LAN Controller Unauthorized Access to Associated Access Points Vulnerability CVE-2014-0703								X
  Cisco Wireless LAN Controller IGMP Version 3 Denial of Service Vulnerability CVE-2014-0704	X	X	X	X	X	X	X	X
  Cisco Wireless LAN Controller MLDv2 Denial of Service Vulnerability CVE-2014-0705						X	X	X	X
  Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability CVE-2014-0706						X	X	X
  Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability CVE-2014-0707						X	X	X
  Recommended Release	Migrate	Migrate	Migrate	7.0.250.0	Migrate	Migrate	Migrate	7.4.121.0	Migrate	7.6.100.0

  Products Confirmed Not Vulnerable

  The following IOS-XE based Wireless Controllers are not affected:
  
  Cisco 5700 Series Wireless Controllers
  Cisco 3600 Series Wireless Controllers
  Cisco 3800 Series Wireless Controllers
  
  No other Cisco products are currently known to be affected by these vulnerabilities.

Details

• The Cisco WLCs and Cisco WiSMs are responsible for system-wide wireless LAN functionality, including security policies, intrusion prevention, RF management, quality of service (QoS), and mobility. These devices communicate with controller-based access points over any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the Lightweight Access Point Protocol (LWAPP) and the Control and Provisioning of Wireless Access Points (CAPWAP) protocol.
  
  The Cisco WLC family of devices is affected by the following vulnerabilities:
  

  Cisco Wireless LAN Controller Denial of Service Vulnerability

  A vulnerability in the WebAuth feature of Cisco Wireless LAN Controllers (WLC) could allow an unauthenticated, remote attacker to cause the device to reload.
  
  The vulnerability is due to a failure to deallocate memory used during the processing of a WebAuth login. An attacker could exploit this vulnerability by creating a large number of WebAuth requests at a high rate and leave them in an uncompleted state. An exploit could allow the attacker to consume all available memory on the device. This causes a watchdog process to restart the WLC, resulting in a denial of service (DoS) while the device reboots.
  
  The WebAuth feature must be enabled and configured for a device to be affected by this vulnerability. This feature is disabled by default.
  
  This vulnerability is documented by Cisco bug ID CSCuf52361 (registered customers only) and has been assigned CVE ID CVE-2014-0701.

  Cisco Wireless LAN Controller Unauthorized Access to Associated Access Points Vulnerability

  A vulnerability in the Cisco IOS code that is pushed to Cisco Aironet 1260, 2600, 3500, and 3600 Series access points (AP) by a Cisco Wireless LAN Controller (WLC) could allow an unauthenticated, remote attacker to gain unauthorized, privileged access to the affected device.
  
  The vulnerability is due to a race condition that could result in the administrative HTTP server of an affected access point being enabled even though it is explicitly disabled by an administrator. An attacker could exploit this vulnerability by attempting to authenticate to an affected device using locally-stored credentials of the AP. A successful attack could allow an attacker to take complete control of the affected AP and make arbitrary changes to the configuration.
  
  In many deployment scenarios, the locally-stored default AP username and password has not been changed from the factory default. In these zero-touch scenarios, the devices are designed to connect automatically to a WLC and download firmware and configurations.
  
  This vulnerability is documented in Cisco bug ID CSCuf66202 (registered customers only) and has been assigned CVE ID CVE-2014-0703.
  

  Cisco Wireless LAN Controller IGMP Version 3 Denial of Service Vulnerability

  A vulnerability in the IGMP processing subsystem of Cisco Wireless LAN Controllers (WLC) could allow an unauthenticated, remote attacker to cause a DoS condition.
  
  The vulnerability is due to improper validation of a specific field in certain IGMP message types. When messages are processed, the IGMP subsystem may perform a memory over-read. When subsequent processing is performed on the extraneous data an error may occur that results in a reload of the device. An attacker could exploit this vulnerability by injecting a malicious IGMP version 3 message onto the network that will be received and processed by an affected WLC. An exploit could allow the attacker to trigger a critical error on the WLC, resulting in a DoS condition while the device restarts.
  
  The IGMPv3 Snooping feature is disabled by default and must be explicitly configured by an administrator for a device to be vulnerable.
  
  This vulnerability is documented in Cisco bug ID CSCuh43240 (registered customers only) and has been assigned CVE ID CVE-2014-0704.
  

  Cisco Wireless LAN Controller MLDv2 Denial of Service Vulnerability

  A vulnerability in the multicast listener discovery (MLD) service of a Cisco WLC configured for IPv6 could allow an unauthenticated, remote attacker to cause a denial of service condition.
  
  The vulnerability is due to a failure to properly parse malformed MLD version 2 messages. An attacker could exploit this vulnerability by submitting a malformed MLDv2 packet to a multicast-enabled network that the Cisco WLC is listening for. An exploit could allow the attacker to trigger a critical error on the WLC, resulting in a DoS condition while the device restarts.
  
  The MLDv2 Snooping feature is disabled by default and must be explicitly configured by an administrator for a device to be vulnerable.
  
  This vulnerability is documented in Cisco bug ID CSCuh74233 (registered customers only) and has been assigned CVE ID CVE-2014-0705.
  

  Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability

  A vulnerability in the Cisco WLC could allow an unauthenticated, remote attacker to trigger a critical error, resulting in a DoS condition while the device restarts.
  
  This vulnerability is due to a failure to correctly process an Ethernet 802.11 frame. An attacker could exploit this vulnerability by sending a specially crafted Ethernet 802.11 frame. Repeated exploitation may result in a sustained DoS condition.
  
  This vulnerability is documented in Cisco bug ID CSCue87929 (registered customers only) and has been assigned CVE ID CVE-2014-0706.
  

  Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability

  A vulnerability in the Cisco WLC could allow an unauthenticated, remote attacker to trigger a critical error, resulting in a DoS condition while the device restarts.
  
  This vulnerability is due to a failure to correctly process an Ethernet 802.11 frame. An attacker could exploit this vulnerability by sending a specially crafted Ethernet 802.11 frame. Repeated exploitation may result in a sustained DoS condition.
  
  This vulnerability is documented in Cisco bug ID CSCuf80681 (registered customers only) and has been assigned CVE ID CVE-2014-0707

Workarounds

• Cisco Wireless LAN Controller Unauthorized Access to Associated Access Points Vulnerability

  Administrators may mitigate this issue by configuring Global AP Management Credentials on the affected device. This will disable the defaults and help ensure that unauthorized parties are unable to access the AP via the HTTP interface.
  
  There are no on-device workarounds that mitigate the other vulnerabilities detailed in this document

  Mitigation information for the vulnerability described in this advisory is available in the companion Applied Mitigation Bulletin (AMB) at the following location: Identifying and Mitigating Exploitation of Multiple Vulnerabilities in Cisco Wireless LAN Controllers

Fixed Software

• When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.

  In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
  
  

  Cisco Wireless LAN Controller Denial of Service Vulnerability
  Affected Release	First Fixed	Recommended
  7.0	7.0.250.0	7.0.250.0 or 7.4.121.0*
  7.2	N/A	Migrate to 7.4.121.0 or 7.6.100.0
  7.3	N/A	Migrate to 7.4.121.0 or 7.6.100.0
  7.4	7.4.110.0	7.4.121.0

  * 4400/WiSM1/3750/2000 controllers can not upgrade beyond 7.0 code
  
  

  Cisco Wireless LAN Controller Unauthorized Access to Associated Access Points Vulnerability
  Affected Release	First Fixed	Recommended
  7.4	7.4.110.0	7.4.121.0

  
  

  Cisco Wireless LAN Controller IGMP Version 3 Denial of Service Vulnerability
  Affected Release	First Fixed	Recommended
  4.x	N/A	Migrate to 7.0.250.0
  5.x	N/A	Migrate to 7.0.250.0
  6.x	N/A	Migrate to 7.0.250.0
  7.0	7.0.250.0	Migrate to 7.0.250.0 or 7.4.121.0*
  7.1	N/A	Migrate to 7.4.121.0 or 7.6.100.0
  7.2	N/A	Migrate to 7.4.121.0 or 7.6.100.0
  7.3	N/A	Migrate to 7.4.121.0 or 7.6.100.0

  * 4400/WiSM1/3750/2000 controllers can not upgrade beyond 7.0 code
  
  

  Cisco Wireless LAN Controller MLDv2 Denial of Service Vulnerability
  Affected Release	First Fixed	Recommended
  7.2	N/A	Migrate to 7.4.121.0 or 7.6.100.0
  7.3	N/A	Migrate to 7.4.121.0 or 7.6.100.0
  7.4	7.4.121.0	Migrate to 7.4.121.0
  7.5	N/A	Migrate to 7.4.121.0 or 7.6.100.0

  
  

  Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability CVE-2014-0706
  Affected Release	First Fixed	Recommended
  7.2	7.2.115.2	Migrate to 7.4.121.0 or 7.6.100.0
  7.3	N/A	Migrate to 7.4.121.0 or 7.6.100.0
  7.4	7.4.110.0	7.4.121.0

  
  

  Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability CVE-2014-0707
  Affected Release	First Fixed	Recommended
  7.2	N/A	Migrate to 7.4.121.0 or 7.6.100.0
  7.3	N/A	Migrate to 7.4.121.0 or 7.6.100.0
  7.4	7.4.110.0	7.4.121.0

  
  

Exploitation and Public Announcements

• The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.

  Cisco Wireless LAN Controller Denial of Service Vulnerability, Cisco Wireless LAN Controller MLDv2 Denial of Service Vulnerability, and Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability where discovered during internal testing and have not been found in customer deployments.
  
  Cisco Wireless LAN Controller Unauthorized Access to Associated Access Points Vulnerability, Cisco Wireless LAN Controller IGMP Version 3 Denial of Service Vulnerability, and Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability were discovered by the Cisco TAC while investigating customer issues.
  
  

URL

• http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140305-wlc

Revision History

• Revision 1.0

  2014-March-05

  Initial public release.

  Show Less