Summary

• A vulnerability in the web-based Wireless Controller GUI of Cisco IOS XE Software for Cisco 5760 Wireless LAN Controllers, Cisco Catalyst 4500E Supervisor Engine 8-E (Wireless) Switches, and Cisco New Generation Wireless Controllers (NGWC) 3850 could allow an authenticated, remote attacker to elevate their privileges on an affected device.
  
  The vulnerability is due to incomplete input validation of HTTP requests by the affected GUI, if the GUI connection state or protocol changes. An attacker could exploit this vulnerability by authenticating to the Wireless Controller GUI as a Lobby Administrator user of an affected device and subsequently changing the state or protocol for their connection to the GUI. A successful exploit could allow the attacker to elevate their privilege level to administrator and gain full control of the affected device.
  
  Cisco has not released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
  
  This advisory is available at the following link:
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170927-ngwc

Affected Products

• Vulnerable Products

  This vulnerability affects the following Cisco products if they are running Cisco IOS XE Software Release 3.7.0E, 3.7.1E, 3.7.2E, 3.7.3E, 3.7.4E, or 3.7.5E:

  • Cisco 5760 Wireless LAN Controllers
  • Cisco Catalyst 4500E Supervisor Engine 8-E (Wireless) Switches
  • Cisco New Generation Wireless Controllers (NGWC) 3850

  To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears.

  The following example shows the output of the show version command for a Cisco 5760 Series Wireless LAN Controller that is running Cisco IOS XE Software Release 3.7.5E:

  Router> show version
  
  Cisco IOS Software, IOS-XE Software, 5700 Series Wireless LAN Controller Software (CT5760-IPSERVICESK9-M), Version 03.07.5E
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2016 by Cisco Systems, Inc.
  .
  .
  .

  For information about the naming and numbering conventions for Cisco IOS XE Software releases, see White Paper: Cisco IOS and NX-OS Software Reference Guide.

  Products Confirmed Not Vulnerable

  No other Cisco products are currently known to be affected by this vulnerability.
  
  Cisco has confirmed that this vulnerability does not affect the Cisco IOS XE Software 3.6E release train. Cisco has also confirmed that this vulnerability does not affect Cisco IOS Software, Cisco IOS XR Software, or Cisco NX-OS Software.
  
  In addition, Cisco has confirmed that this vulnerability does not affect Cisco Catalyst 3650 Series Switches.

Workarounds

• There are no workarounds that address this vulnerability.

Fixed Software

• Cisco has not released software updates that address the vulnerability described in this advisory.

  Customers may only install and expect support for software versions and feature sets for which they have a valid license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
  https://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html

  Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.

  When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution.

  In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

  Customers Without Service Contracts

  Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC:
  https://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html

  Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.

  Fixed Releases

  Customers should contact the Cisco TAC to determine the best option for addressing this vulnerability.

Exploitation and Public Announcements

• The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

Source

• This vulnerability was found during the resolution of a Cisco TAC support case.

URL

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170927-ngwc

Revision History

• Version	Description	Section	Status	Date
  1.0	Initial public release.	-	Final	2017-September-27

  Show Less