Multiple vulnerabilities in Cisco Aironet

1) Improper authentication

EUVDB-ID: #VU12373

Risk: Low

CVSSv3.1: 5.5 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-0247

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows an adjacent unauthenticated attacker to bypass security restrictions on the target system.

The weakness exists due to incorrect implementation of authentication for WebAuth clients in a specific configuration. An adjacent attacker can send traffic to local network resources without having gone through authentication, bypass authentication and pass traffic.

Mitigation

Update Cisco 5500 Series Wireless Controllers to 15.3(3)JF15.3(3)JE, 15.3(3)JD7, 15.3(3)JD5, 15.3(3)JC7, 8.5(103.0), 8.5(1.79), 8.5(1.78), 8.4(100.0), 8.4(2.65), 8.3(121.0), 8.3(114.29), 8.2(160.0), 8.2(154.27) or 8.2(154.23) or Cisco Aironet 3700 Series to 15.3(3)JG15.3(3)JF2, 15.3(3)JD13, 8.7(102.0), 8.7(1.54), 8.7(1.52), 8.6(101.0), 8.6(1.144), 8.6(1.143), 8.5(110.0), 8.5(107.77), 8.3(140.0), 8.3(134.25) or 8.2(167.9).










  

Vulnerable software versions

Cisco Aironet 3700 Series: 8.3.104.105 - 8.5.107.52

External links

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180502-aironet-auth

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper input validation

EUVDB-ID: #VU12387

Risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-0234

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists in the implementation of Point-to-Point Tunneling Protocol (PPTP) functionality due to insufficient validation of Generic Routing Encapsulation (GRE) frames that pass through the data plane of an affected access point. A remote attacker can initiate a PPTP connection to an affected access point from a device that is registered to the same wireless network as the access point and sending a malicious GRE frame through the data plane of the access point and cause the service to crash.

Mitigation

Update to versions 8.7(102.0), 8.7(1.24), 8.6(101.0), 8.6(1.108), 8.5(110.0), 8.5(107.37) or 8.5(103.9).

Vulnerable software versions

Cisco Aironet 1850 Series Access Points: 8.4.100.0 - 8.5.103.0

External links

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180502-ap-ptp

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Improper authentication

EUVDB-ID: #VU12388

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-0250

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows an adjacent authenticated attacker to bypass security restrictions on the target system.

The weakness exists due to the AP ignoring the ACL download from the client during authentication. An adjacent attacker can connect to the target device with a vulnerable configuration and bypass a configured client FlexConnect ACL.

Mitigation

Update to versions 8.6(101.0), 8.6(1.12), 8.5(103.0) or 8.5(1.140).

Vulnerable software versions

Cisco Aironet 1850 Series Access Points: 8.2.160.0 - 8.7.1.3

External links

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180502-ap-acl

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Data handling

EUVDB-ID: #VU12390

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-0249

CWE-ID: CWE-19 - Data Handling

Exploit availability: No

Description

The vulnerability allows an adjacent unauthenticated attacker to cause DoS condition on the target system.

The weakness exists due to incorrect handling of malformed or invalid 802.11 Association Requests. An adjacent attacker can send a specially crafted stream of 802.11 Association Requests to the local interface and cause the service to crash.

Mitigation

Update to versions 8.7(102.0), 8.7(1.30), 8.6(101.0), 8.6(1.117), 8.5(110.0), 8.5(107.49), 8.3(140.0), 8.3(134.8), 8.3(130.5) or 8.2(163.7).

Vulnerable software versions

Cisco Aironet 1850 Series Access Points: 8.2.161.0

External links

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180502-aironet-dos

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.