Resource exhaustion in Cisco Systems, Inc products - CVE-2021-1356

 

Resource exhaustion in Cisco Systems, Inc products - CVE-2021-1356

Published: March 25, 2021


Vulnerability identifier: #VU51726
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-1356
CWE-ID: CWE-400
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Cisco Wireless LAN Controller
Cisco Catalyst 9800 Series Wireless Controllers
Cisco IOS XE

Detailed vulnerability description

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within the web UI of Cisco IOS XE Software. A remote authenticated user can send specially crafted  HTTP requests to the web UI and cause the web management software to hang and consume all available vty lines, preventing new session establishment.


How to mitigate CVE-2021-1356

Install updates from vendor's website.

Sources