Cisco Security Advisory
Multiple Vulnerabilities in Cisco Wireless LAN Controllers
AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C
-
The Cisco Wireless LAN Controller (WLC) product family is affected by the following vulnerabilities:
- Cisco Wireless LAN Controller Denial of Service Vulnerability
- Cisco Wireless LAN Controller Unauthorized Access to Associated Access Points Vulnerability
- Cisco Wireless LAN Controller IGMP Version 3 Denial of Service Vulnerability
- Cisco Wireless LAN Controller MLDv2 Denial of Service Vulnerability
- Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability
- Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability
Cisco has released software updates that address these vulnerabilities.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140305-wlc
-
The Cisco WLC product family is affected by multiple vulnerabilities. Affected versions of Cisco WLC Software vary depending on the specific vulnerability.
Vulnerable Products
For specific version information, see the "Software Versions and Fixes" section of this advisory.
At least one of the vulnerabilities covered in this security advisory affects each of the following products:
Stand Alone Controllers
- Cisco 500 Series Wireless Express Mobility Controllers
- Cisco 2000 Series Wireless LAN Controllers
- Cisco 2100 Series Wireless LAN Controllers
- Cisco 2500 Series Wireless Controllers
- Cisco 4100 Series Wireless LAN Controllers
- Cisco 4400 Series Wireless LAN Controllers
- Cisco 5500 Series Wireless Controllers
- Cisco Flex 7500 Series Wireless Controllers
- Cisco 8500 Series Wireless Controllers
- Cisco Virtual Wireless Controller
Modular Controllers
- Cisco Catalyst 6500 Series/7600 Series Wireless Services Module (Cisco WiSM)
- Cisco Wireless Services Module version 2 (WiSM2)
- Cisco NME-AIR-WLC Module for Integrated Services Routers (ISRs)
- Cisco NM-AIR-WLC Module for Integrated Services Routers (ISRs)
- Cisco Catalyst 3750G Integrated WLC
- Cisco Wireless Controller Software for Services-Ready Engine (SRE) *
Note: The Cisco 2000 Series WLC, Cisco 4100 Series WLC, Cisco NM-AIR-WLC, and Cisco 500 Series Wireless Express Mobility Controllers, have reached end-of-software maintenance. The following table includes the end-of-life document URL for each model:
Model
End of Life Document URL
Cisco 2000 Series WLC
Cisco NM-AIR-WLC Modules for ISR
Cisco 500 Series Wireless Express Mobility Controllers
http://www.cisco.com/en/US/prod/collateral/wireless/ps7306/ps7320/ps7339/end_of_life_c51-568040.html
To determine the Cisco WLC Software version that is running in a given environment, use one of the following methods:
In the web interface, choose the Monitor tab, click Summary in the left pane, and note the Software Version field.
In the command-line interface, issue the show sysinfo command as shown in the following example:
(Cisco Controller)> show sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.4.121.0
Bootloader Version............................... 1.0.16
Field Recovery Image Version..................... 7.0.112.21
Firmware Version................................. FPGA 1.7, Env 1.8, USB console 2.2Cisco Wireless LAN Controller Denial of Service Vulnerability
To determine if the WebAuth feature has been enabled issue the show wlancommand (X=wlan ID) for each of the configured wireless networks. The following example shows the feature enabled:
Web Based Authentication...................... Enabled
Cisco Wireless LAN Controller IGMP Version 3 Denial of Service Vulnerability
To determine if the IGMPv3 feature has been enabled issue the show network summary command. The following example shoes the feature enabled:
IGMP snooping............................... Enabled
Cisco Wireless LAN Controller MLDv2 Denial of Service Vulnerability
To determine if the MLDv2 feature has been enabled issue the show network summary command. The following example shows the feature enabled:
MLD snooping............................... Enabled
Summary Table:
4.x 5.x 6.x 7.0 7.1 7.2 7.3 7.4 7.5 7.6 Cisco Wireless LAN Controller Denial of Service Vulnerability
CVE-2014-0701
X X X X Cisco Wireless LAN Controller Unauthorized Access to Associated Access Points Vulnerability
CVE-2014-0703
X Cisco Wireless LAN Controller IGMP Version 3 Denial of Service Vulnerability
CVE-2014-0704
X X X X X X X X Cisco Wireless LAN Controller MLDv2 Denial of Service Vulnerability
CVE-2014-0705
X X X X Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability
CVE-2014-0706
X X X
Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability
CVE-2014-0707
X X X
Recommended Release Migrate Migrate Migrate 7.0.250.0 Migrate Migrate Migrate 7.4.121.0
Migrate 7.6.100.0
Products Confirmed Not Vulnerable
The following IOS-XE based Wireless Controllers are not affected:
Cisco 5700 Series Wireless Controllers
Cisco 3600 Series Wireless Controllers
Cisco 3800 Series Wireless Controllers
No other Cisco products are currently known to be affected by these vulnerabilities.
-
The Cisco WLCs and Cisco WiSMs are responsible for system-wide wireless LAN functionality, including security policies, intrusion prevention, RF management, quality of service (QoS), and mobility. These devices communicate with controller-based access points over any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the Lightweight Access Point Protocol (LWAPP) and the Control and Provisioning of Wireless Access Points (CAPWAP) protocol.
The Cisco WLC family of devices is affected by the following vulnerabilities:
Cisco Wireless LAN Controller Denial of Service Vulnerability
A vulnerability in the WebAuth feature of Cisco Wireless LAN Controllers (WLC) could allow an unauthenticated, remote attacker to cause the device to reload.
The vulnerability is due to a failure to deallocate memory used during the processing of a WebAuth login. An attacker could exploit this vulnerability by creating a large number of WebAuth requests at a high rate and leave them in an uncompleted state. An exploit could allow the attacker to consume all available memory on the device. This causes a watchdog process to restart the WLC, resulting in a denial of service (DoS) while the device reboots.
The WebAuth feature must be enabled and configured for a device to be affected by this vulnerability. This feature is disabled by default.
This vulnerability is documented by Cisco bug ID CSCuf52361 (registered customers only) and has been assigned CVE ID CVE-2014-0701.Cisco Wireless LAN Controller Unauthorized Access to Associated Access Points Vulnerability
A vulnerability in the Cisco IOS code that is pushed to Cisco Aironet 1260, 2600, 3500, and 3600 Series access points (AP) by a Cisco Wireless LAN Controller (WLC) could allow an unauthenticated, remote attacker to gain unauthorized, privileged access to the affected device.
The vulnerability is due to a race condition that could result in the administrative HTTP server of an affected access point being enabled even though it is explicitly disabled by an administrator. An attacker could exploit this vulnerability by attempting to authenticate to an affected device using locally-stored credentials of the AP. A successful attack could allow an attacker to take complete control of the affected AP and make arbitrary changes to the configuration.
In many deployment scenarios, the locally-stored default AP username and password has not been changed from the factory default. In these zero-touch scenarios, the devices are designed to connect automatically to a WLC and download firmware and configurations.
This vulnerability is documented in Cisco bug ID CSCuf66202 (registered customers only) and has been assigned CVE ID CVE-2014-0703.
Cisco Wireless LAN Controller IGMP Version 3 Denial of Service Vulnerability
A vulnerability in the IGMP processing subsystem of Cisco Wireless LAN Controllers (WLC) could allow an unauthenticated, remote attacker to cause a DoS condition.
The vulnerability is due to improper validation of a specific field in certain IGMP message types. When messages are processed, the IGMP subsystem may perform a memory over-read. When subsequent processing is performed on the extraneous data an error may occur that results in a reload of the device. An attacker could exploit this vulnerability by injecting a malicious IGMP version 3 message onto the network that will be received and processed by an affected WLC. An exploit could allow the attacker to trigger a critical error on the WLC, resulting in a DoS condition while the device restarts.
The IGMPv3 Snooping feature is disabled by default and must be explicitly configured by an administrator for a device to be vulnerable.
This vulnerability is documented in Cisco bug ID CSCuh33240 (registered customers only) and has been assigned CVE ID CVE-2014-0704.
Cisco Wireless LAN Controller MLDv2 Denial of Service Vulnerability
A vulnerability in the multicast listener discovery (MLD) service of a Cisco WLC configured for IPv6 could allow an unauthenticated, remote attacker to cause a denial of service condition.
The vulnerability is due to a failure to properly parse malformed MLD version 2 messages. An attacker could exploit this vulnerability by submitting a malformed MLDv2 packet to a multicast-enabled network that the Cisco WLC is listening for. An exploit could allow the attacker to trigger a critical error on the WLC, resulting in a DoS condition while the device restarts.
The MLDv2 Snooping feature is disabled by default and must be explicitly configured by an administrator for a device to be vulnerable.
This vulnerability is documented in Cisco bug ID CSCuh74233 (registered customers only) and has been assigned CVE ID CVE-2014-0705.
Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability
A vulnerability in the Cisco WLC could allow an unauthenticated, remote attacker to trigger a critical error, resulting in a DoS condition while the device restarts.
This vulnerability is due to a failure to correctly process an Ethernet 802.11 frame. An attacker could exploit this vulnerability by sending a specially crafted Ethernet 802.11 frame. Repeated exploitation may result in a sustained DoS condition.
This vulnerability is documented in Cisco bug ID CSCue87929 (registered customers only) and has been assigned CVE ID CVE-2014-0706.
Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability
A vulnerability in the Cisco WLC could allow an unauthenticated, remote attacker to trigger a critical error, resulting in a DoS condition while the device restarts.
This vulnerability is due to a failure to correctly process an Ethernet 802.11 frame. An attacker could exploit this vulnerability by sending a specially crafted Ethernet 802.11 frame. Repeated exploitation may result in a sustained DoS condition.
This vulnerability is documented in Cisco bug ID CSCuf80681 (registered customers only) and has been assigned CVE ID CVE-2014-0707
-
Cisco Wireless LAN Controller Unauthorized Access to Associated Access Points Vulnerability
Administrators may mitigate this issue by configuring Global AP Management Credentials on the affected device. This will disable the defaults and help ensure that unauthorized parties are unable to access the AP via the HTTP interface.
There are no on-device workarounds that mitigate the other vulnerabilities detailed in this documentMitigation information for the vulnerability described in this advisory is available in the companion Applied Mitigation Bulletin (AMB) at the following location: Identifying and Mitigating Exploitation of Multiple Vulnerabilities in Cisco Wireless LAN Controllers
-
When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Cisco Wireless LAN Controller Denial of Service Vulnerability Affected Release First Fixed Recommended 7.0 7.0.250.0 7.0.250.0 or 7.4.121.0* 7.2 N/A Migrate to 7.4.121.0 or 7.6.100.0 7.3
N/A Migrate to 7.4.121.0 or 7.6.100.0 7.4 7.4.110.0 7.4.121.0
Cisco Wireless LAN Controller Unauthorized Access to Associated Access Points Vulnerability Affected Release First Fixed Recommended 7.4 7.4.110.0 7.4.121.0
Cisco Wireless LAN Controller IGMP Version 3 Denial of Service Vulnerability Affected Release First Fixed Recommended 4.x N/A Migrate to 7.0.250.0 5.x N/A Migrate to 7.0.250.0 6.x N/A Migrate to 7.0.250.0 7.0 7.0.250.0 Migrate to 7.0.250.0 or 7.4.121.0* 7.1 N/A Migrate to 7.4.121.0 or 7.6.100.0 7.2 N/A Migrate to 7.4.121.0 or 7.6.100.0 7.3 N/A Migrate to 7.4.121.0 or 7.6.100.0
Cisco Wireless LAN Controller MLDv2 Denial of Service Vulnerability Affected Release First Fixed Recommended 7.2 N/A Migrate to 7.4.121.0 or 7.6.100.0 7.3 N/A Migrate to 7.4.121.0 or 7.6.100.0 7.4 7.4.121.0 Migrate to 7.4.121.0 7.5
N/A Migrate to 7.4.121.0 or 7.6.100.0
Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability
CVE-2014-0706
Affected Release First Fixed Recommended 7.2 7.2.115.2 Migrate to 7.4.121.0 or 7.6.100.0 7.3
N/A Migrate to 7.4.121.0 or 7.6.100.0 7.4 7.4.110.0 7.4.121.0
Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability
CVE-2014-0707
Affected Release First Fixed Recommended 7.2 N/A Migrate to 7.4.121.0 or 7.6.100.0 7.3
N/A Migrate to 7.4.121.0 or 7.6.100.0 7.4 7.4.110.0 7.4.121.0
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.
Cisco Wireless LAN Controller Denial of Service Vulnerability, Cisco Wireless LAN Controller MLDv2 Denial of Service Vulnerability, and Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability where discovered during internal testing and have not been found in customer deployments.
Cisco Wireless LAN Controller Unauthorized Access to Associated Access Points Vulnerability, Cisco Wireless LAN Controller IGMP Version 3 Denial of Service Vulnerability, and Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability were discovered by the Cisco TAC while investigating customer issues.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.0 2014-March-05 Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.