Multiple vulnerabilities in Cisco Wireless LAN Controller



Published: 2018-10-18
Risk Low
Patch available YES
Number of vulnerabilities 7
CVE-ID CVE-2018-0420
CVE-2018-0416
CVE-2018-0417
CVE-2018-0442
CVE-2018-0443
CVE-2018-15395
CVE-2018-0388
CWE-ID CWE-22
CWE-200
CWE-264
CWE-79
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Cisco Wireless LAN Controller
Hardware solutions / Firmware

Vendor Cisco Systems, Inc

Security Bulletin

This security bulletin contains information about 7 vulnerabilities.

1) Path traversal

EUVDB-ID: #VU15408

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-0420

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information.

The weakness exists in the web-based interface of Cisco Wireless LAN Controller Software due to improper sanitization of user-supplied input in HTTP request parameters that describe filenames and pathnames. A remote attacker can use directory traversal techniques to submit a path to a desired file location and view system files on the targeted device, which may contain sensitive information.

Mitigation

The vulnerability has been addressed in the versions 8.7(102.0), 8.7(1.11), 8.6(101.0), 8.6(1.98), 8.5(110.0), 8.5(107.54), 8.3(140.0), 8.3(134.89), 8.2(170.0), 8.2(167.208), 8.2(167.8).

Vulnerable software versions

Cisco Wireless LAN Controller: 8.2.151.0

External links

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-wlc-traversa...


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Information disclosure

EUVDB-ID: #VU15409

Risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-0416

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The weakness exists in the web-based interface of Cisco Wireless LAN Controller Software due to incomplete input and validation checking mechanisms in the web-based interface URL request. A remote attacker can request specific URLs via the web-based interface and view sensitive system information.

Mitigation

The vulnerability has been addressed in the versions 8.9(1.65), 8.8(100.0), 8.8(1.176), 8.5(137.11), 8.5(135.0), 8.5(134.102), 8.5(131.8), 8.5(124.106), 8.3(141.10).

Vulnerable software versions

Cisco Wireless LAN Controller: 8.5.130.0 - 8.9.1.52

External links

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-wlc-id


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Privilege escalation

EUVDB-ID: #VU15410

Risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-0417

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to gain elevated privileges on the target system.

The weakness exists in TACACS authentication with Cisco Wireless LAN Controller (WLC) Software due to incorrect parsing of a specific TACACS attribute received in the TACACS response from the remote TACACS server. A remote attacker can authenticate via TACACS to the GUI on the affected device, create local user accounts with administrative privileges on an affected WLC and execute other commands that are not allowed from the CLI and should be prohibited.

Mitigation

The vulnerability has been addressed in the versions 8.8(1.57), 8.7(102.0), 8.7(1.135), 8.5(131.0), 8.5(124.51), 8.3(143.6), 8.2(170.0), 8.2(167.211).

Vulnerable software versions

Cisco Wireless LAN Controller: 8.7.1.115

External links

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-wlc-gui-privesc


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Information disclosure

EUVDB-ID: #VU15411

Risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-0442

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The weakness exists in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol component of Cisco Wireless LAN Controller (WLC) Software due to insufficient condition checks in the part of the code that handles CAPWAP keepalive requests. A remote attacker can send a specially crafted CAPWAP keepalive packet to a vulnerable Cisco WLC device, retrieve the contents of device memory, which can lead to the disclosure of confidential information.

Mitigation

The vulnerability has been addressed in the versions 8.7(102.0), 8.7(1.14), 8.6(101.0), 8.6(1.103), 8.5(110.0), 8.5(107.59), 8.3(140.0), 8.3(134.67), 8.2(170.0), 8.2(167.207), 8.2(167.8), 8.0(154.2).

Vulnerable software versions

: 8.2.151.0

External links

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-wlc-capwap-memory-leak


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Information disclosure

EUVDB-ID: #VU15412

Risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-0443

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The weakness exists in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol component of Cisco Wireless LAN Controller (WLC) Software due to improper input validation on fields within CAPWAP Discovery Request packets. A remote attacker can cause the Cisco WLC Software to disconnect associated access points (APs).

Mitigation

The vulnerability has been addressed in the versions 8.7(102.0), 8.7(1.14), 8.6(101.0), 8.6(1.103), 8.5(110.0), 8.5(107.59), 8.3(140.0), 8.3(134.67), 8.2(170.0), 8.2(167.207), 8.2(167.8), 8.0(154.2).

Vulnerable software versions

: 8.2.151.0

External links

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-wlc-capwap-dos


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Privilege escalation

EUVDB-ID: #VU15413

Risk: Low

CVSSv3.1: 7 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-15395

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows an adjacent authenticated attacker to gain elevated privileges on the target system.

The weakness exists in the authentication and authorization checking mechanisms of Cisco Wireless LAN Controller (WLC) Software due to the dynamic assignment of Security Group Tags (SGTs) during a wireless roam from one Service Set Identifier (SSID) to another within the Cisco TrustSec domain. An adjacent attacker can attempt to acquire an SGT from other SSIDs within the domain and gain privileged network access that should be prohibited under normal circumstances.

Mitigation

The vulnerability has been addressed in the versions 8.8(1.86), 8.5(131.0), 8.5(124.33), 8.5(120.7), 8.5(120.6)

Vulnerable software versions

Cisco Wireless LAN Controller: 8.5.120.0

External links

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-wlan-escalation


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Cross-site scripting

EUVDB-ID: #VU15414

Risk: Low

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-0388

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote authenticated attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

The vulnerability has been addressed in the versions 8.9(1.11), 8.8(106.22), 8.8(100.0), 8.8(1.116), 8.5(137.1), 8.5(135.0), 8.5(134.102), 8.5(131.7), 8.5(124.106), 8.3(141.10), 8.2(170.0), 8.2(167.211).

Vulnerable software versions

Cisco Wireless LAN Controller: 8.3.133.0 - 8.5.120.0

External links

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-wlan-xss


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###