SB2020092905 - Multiple vulnerabilities in Cisco IOS XE Wireless Controller Software for the Catalyst 9000 Family

Description

This security bulletin contains information about 12 vulnerabilities.

1) Improper access control (CVE-ID: CVE-2020-3418)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to an incomplete access control list (ACL) being applied prior to RUN state. A remote attacker on the local network can send ICMPv6 traffic prior to RUN state.

This vulnerability affects the following products running a vulnerable release of Cisco IOS XE Software:

• Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
• Catalyst 9800 Series Wireless Controllers
• Embedded Wireless Controller on Catalyst 9100 Access Points

2) Input validation error (CVE-ID: CVE-2020-3390)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in Simple Network Management Protocol (SNMP) trap generation for wireless clients. A remote attacker on the local network can send an 802.1x packet with crafted parameters during the wireless authentication setup phase of a connection and perform a denial of service (DoS) attack.

This vulnerability affects the following products running a vulnerable release of Cisco IOS XE Software:

• Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
• Catalyst 9800 Series Wireless Controllers
• Embedded Wireless Controller on Catalyst 9100 Access Points

3) Input validation error (CVE-ID: CVE-2020-3429)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in the WPA2 and WPA3 security implementation. A remote attacker on the local network can send a specially crafted authentication packet and perform a denial of service (DoS) attack.

This vulnerability affects the following products running a vulnerable release of Cisco IOS XE Software:

• Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
• Catalyst 9800 Series Wireless Controllers

4) Out-of-bounds read (CVE-ID: CVE-2020-3399)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol. A remote attacker can send a specially crafted CAPWAP packet, trigger out-of-bounds read error and cause a denial of service condition on the system.

This vulnerability affects the following products running a vulnerable release of Cisco IOS XE Software:

• Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
• Catalyst 9800 Series Wireless Controllers
• Embedded Wireless Controller on Catalyst 9100 Access Points

5) Input validation error (CVE-ID: CVE-2020-3497)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol. A remote attacker on the local network can send a specially crafted CAPWAP packet and perform a denial of service (DoS) attack.

This vulnerability affects the following products running a vulnerable release of Cisco IOS XE Software:

• Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
• Catalyst 9800 Series Wireless Controllers
• Embedded Wireless Controller on Catalyst 9100 Access Points

6) Input validation error (CVE-ID: CVE-2020-3494)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol. A remote attacker on the local network can send a specially crafted CAPWAP packet and perform a denial of service (DoS) attack.

This vulnerability affects the following products running a vulnerable release of Cisco IOS XE Software:

• Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
• Catalyst 9800 Series Wireless Controllers
• Embedded Wireless Controller on Catalyst 9100 Access Points

7) Input validation error (CVE-ID: CVE-2020-3493)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol. A remote attacker on the local network can send a specially crafted CAPWAP packet and perform a denial of service (DoS) attack.

This vulnerability affects the following products running a vulnerable release of Cisco IOS XE Software:

• Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
• Catalyst 9800 Series Wireless Controllers
• Embedded Wireless Controller on Catalyst 9100 Access Points

8) Input validation error (CVE-ID: CVE-2020-3489)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol. A remote attacker on the local network can send a specially crafted CAPWAP packet and perform a denial of service (DoS) attack.

This vulnerability affects the following products running a vulnerable release of Cisco IOS XE Software:

• Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
• Catalyst 9800 Series Wireless Controllers
• Embedded Wireless Controller on Catalyst 9100 Access Points

9) Input validation error (CVE-ID: CVE-2020-3488)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol. A remote attacker on the local network can send a specially crafted CAPWAP packet and perform a denial of service (DoS) attack.

This vulnerability affects the following products running a vulnerable release of Cisco IOS XE Software:

• Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
• Catalyst 9800 Series Wireless Controllers
• Embedded Wireless Controller on Catalyst 9100 Access Points

10) Input validation error (CVE-ID: CVE-2020-3487)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol. A remote attacker on the local network can send a specially crafted CAPWAP packet and perform a denial of service (DoS) attack.

This vulnerability affects the following products running a vulnerable release of Cisco IOS XE Software:

• Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
• Catalyst 9800 Series Wireless Controllers
• Embedded Wireless Controller on Catalyst 9100 Access Points

11) Input validation error (CVE-ID: CVE-2020-3486)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol. A remote attacker on the local network can send a specially crafted CAPWAP packet and perform a denial of service (DoS) attack.

This vulnerability affects the following products running a vulnerable release of Cisco IOS XE Software:

• Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
• Catalyst 9800 Series Wireless Controllers
• Embedded Wireless Controller on Catalyst 9100 Access Points

12) Input validation error (CVE-ID: CVE-2020-3428)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect parsing of HTTP packets while performing HTTP-based endpoint device classifications. A remote attacker on the local network can send a specially crafted HTTP packet and perform a denial of service (DoS) attack.

This vulnerability affects the following products running a vulnerable release of Cisco IOS XE Software:

• Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
• Catalyst 9800 Series Wireless Controllers

Remediation

Install update from vendor's website.

References

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-icmpv6-qb9eYyCR
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-ewlc-snmp-dos-wNkedg9K
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wpa-dos-cXshjerc
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capwap-dos-ShFzXf
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capwap-dos-TPdNTdyq
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dclass-dos-VKh9D8k3