#VU67708 Improper access control in Cisco Systems, Inc Hardware solutions


Published: 2022-09-27

Vulnerability identifier: #VU67708

Vulnerability risk: Medium

CVSSv3.1: 4.1 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-20728

CWE-ID: CWE-284

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
6300 Series Embedded Services Access Points
Other software / Other software solutions
Aironet 1800 Access Points
Other software / Other software solutions
Aironet 4800 Access Points
Other software / Other software solutions
Business 100 Series Access Points
Other software / Other software solutions
Business 200 Series Access Points
Other software / Other software solutions
Cisco Aironet 1540 Series Access Points
Hardware solutions / Routers & switches, VoIP, GSM, etc
Cisco Aironet 1560 Series Access Points
Hardware solutions / Routers & switches, VoIP, GSM, etc
Cisco Aironet 2800 Series Access Points
Hardware solutions / Routers & switches, VoIP, GSM, etc
Cisco Aironet 3800 Series Access Points
Hardware solutions / Routers & switches, VoIP, GSM, etc
Cisco Catalyst 9100
Hardware solutions / Routers & switches, VoIP, GSM, etc
Catalyst IW6300 AC Heavy Duty Access Point
Hardware solutions / Routers & switches, VoIP, GSM, etc
Integrated AP on 1100 Integrated Services Routers
Hardware solutions / Routers & switches, VoIP, GSM, etc
Cisco Catalyst 9800 Wireless Controller
Hardware solutions / Routers & switches, VoIP, GSM, etc
Cisco Wireless LAN Controller
Hardware solutions / Firmware

Vendor: Cisco Systems, Inc

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to a logic error on the AP that forwards packets that are destined to a wireless client if they are received on the native VLAN. A remote non-authenticated attacker on the local network with access to the native VLAN can direct traffic directly to the client through their MAC/IP combination, and as a result bypass VLAN separation and potentially also bypass any Layer 3 protection mechanisms that are deployed.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

6300 Series Embedded Services Access Points: All versions

Cisco Aironet 1540 Series Access Points: All versions

Cisco Aironet 1560 Series Access Points: All versions

Aironet 1800 Access Points: All versions

Cisco Aironet 2800 Series Access Points: All versions

Cisco Aironet 3800 Series Access Points: All versions

Aironet 4800 Access Points: All versions

Business 100 Series Access Points: All versions

Business 200 Series Access Points: All versions

Cisco Catalyst 9100: All versions

Catalyst IW6300 AC Heavy Duty Access Point : All versions

Integrated AP on 1100 Integrated Services Routers: All versions

External links
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apvlan-TDTtb4FY
http://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz99036

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


VLAN separation bypass in Cisco Access Points