#VU15413 Privilege escalation in Cisco Wireless LAN Controller
Vulnerability identifier: #VU15413
Vulnerability risk: Low
CVSSv3.1: 7 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-264
Exploitation vector: Local network
Exploit availability: No
Vulnerable software:
Cisco Wireless LAN Controller
Hardware solutions /
Firmware
Vendor: Cisco Systems, Inc
Description
The vulnerability allows an adjacent authenticated attacker to gain elevated privileges on the target system.
The weakness exists in the authentication and authorization checking mechanisms of Cisco Wireless LAN Controller (WLC) Software due to the dynamic assignment of Security Group Tags (SGTs) during a wireless roam from one Service Set Identifier (SSID) to another within the Cisco TrustSec domain. An adjacent attacker can attempt to acquire an SGT from other SSIDs within the domain and gain privileged network access that should be prohibited under normal circumstances.
Mitigation
The vulnerability has been addressed in the versions 8.8(1.86), 8.5(131.0), 8.5(124.33), 8.5(120.7), 8.5(120.6)
Vulnerable software versions
Cisco Wireless LAN Controller: 8.5.120.0
External links
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-wlan-escalation
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
