Cisco Security Advisory
Multiple Vulnerabilities in Cisco Wireless LAN Controllers
AV:N/AC:L/Au:S/C:C/I:C/A:C/E:H/RL:OF/RC:C
-
Multiple vulnerabilities exist in the Cisco Wireless LAN Controllers (WLCs), Cisco Catalyst 6500 Wireless Services Modules (WiSMs), and Cisco Catalyst 3750 Integrated Wireless LAN Controllers. This security advisory outlines details of the following vulnerabilities:
-
Denial of Service Vulnerabilities (total of three)
-
Privilege Escalation Vulnerability
These vulnerabilities are independent of each other.
Cisco has released software updates that address these vulnerabilities.
There are no workarounds available for these vulnerabilities.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090204-wlc.
-
Denial of Service Vulnerabilities (total of three)
-
Vulnerable Products
The following products and software versions are affected for each vulnerability.
Denial of Service Vulnerabilities
Two denial of service (DoS) vulnerabilities affect software versions 4.1 and later. All Cisco Wireless LAN Controller (WLC) platforms are affected.
A third DoS vulnerability affects software versions 4.1 and later. The following platforms are affected by this vulnerability:
-
Cisco 4400 Series Wireless LAN Controllers
-
Cisco Catalyst 6500 Series/7600 Series Wireless Services Module
(WiSM)
-
Cisco Catalyst 3750 Series Integrated Wireless LAN Controllers
Note: The Cisco Wireless LAN Controller Modules supported on Cisco 2800 and 3800 series Integrated Services Routers are not vulnerable. The Cisco 2000 and 2100 Series Wireless LAN Controllers are also not affected by this vulnerability.
Privilege Escalation Vulnerability
Only WLC software version 4.2.173.0 is affected by this vulnerability.
Determination of Software Versions
To determine the WLC version that is running in a given environment, use one of the following methods:
-
In the web interface, choose the Monitor tab, click
Summary in the left pane, and note the Software
Version.
-
From the command-line interface, type show sysinfo
and note the Product Version, as shown in the following
example:
(Cisco Controller) >show sysinfo Manufacturer's Name.. Cisco Systems Inc. Product Name......... Cisco Controller Product Version...... 5.1.151.0 RTOS Version......... Linux-2.6.10_mvl401 Bootloader Version... 4.0.207.0 Build Type........... DATA + WPS
Use the show wism module
controller 1 status command on a Cisco Catalyst 6500 Series/7600 Series switch if using a WiSM, and note the Software Version, as demonstrated in the following example:Router#show wism mod 3 controller 1 status WiSM Controller 1 in Slot 3 Operational Status of the Controller : Oper-Up Service VLAN : 192 Service Port : 10 Service Port Mac Address : 0011.92ff.8742 Service IP Address : 192.168.10.1 Management IP Address : 192.168.1.123 Software Version : 5.1.151.0 Port Channel Number : 288 Allowed vlan list : 30,40 Native VLAN ID : 40 WCP Keep Alive Missed : 0
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
-
Cisco 4400 Series Wireless LAN Controllers
-
Cisco Wireless LAN Controllers (WLCs), Cisco Catalyst 6500 Wireless Services Modules (WiSMs), and Cisco Catalyst 3750 Integrated Wireless LAN Controllers are responsible for system-wide wireless LAN functions, such as security policies, intrusion prevention, RF management, quality of service (QoS), and mobility.
These devices communicate with Controller-based Access Points over any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the Lightweight Access Point Protocol (LWAPP).
This Security Advisory describes multiple distinct vulnerabilities in the WLCs, WiSMs, and the Cisco Catalyst 3750 Integrated WLCs. These vulnerabilities are independent of each other.
Denial of Service Vulnerabilities
These vulnerabilities are documented in the following Cisco Bug ID and have been assigned the following Common Vulnerabilities and Exposures (CVE) identifiers:
-
CSCsq44516
(
registered customers only)
- CVE-2009-0058
Web authentication is a Layer 3 security feature that causes the controller to drop IP traffic (except DHCP and DNS related packets) from a particular client until that client has correctly supplied a valid username and password. An attacker may use a vulnerability scanner to cause the device to stop servicing web authentication or cause a reload of the device. The following error messages may appear on the console during an active attack:
SshPmStMain/pm_st_main.c:1954/ ssh_pm_st_main_batch_addition_result: Failed to add rule to the engine: restoring old state SshEnginePmApiPm/engine_pm_api_pm.c:1896/ ssh_pme_enable_policy_lookup: Could not allocate message
Note: The affected device must have Webauth configured to be vulnerable. Devices not configured for Webauth are not vulnerable.
-
CSCsm82364
(
registered customers only)
- CVE-2009-0059
An attacker may cause a device reload when sending a malformed post to the web authentication "login.html" page. The following error messages may appear on the WLC console during this attack:
Cisco Crash Handler Signal generated during a signal 11, count 193 Memory 0x14ef1e44 has been freed!
Note: A crash file is not generated during this attack.
Note: The affected device must have Webauth configured to be vulnerable. Devices not configured for Webauth are not vulnerable.
-
CSCso60979
(
registered customers only)
- CVE-2009-0061
Affected Cisco WLC, WiSM and Catalyst 3750 Wireless LAN Controller models are vulnerable to a DoS condition that is triggered by the receipt of certain IP packets. Upon receiving these IP packets, the affected device may become unresponsive and require a reboot to recover.
Note: This vulnerability affects software versions 4.1 and later in the Cisco 4400 series WLCs, Cisco Catalyst 6500 WiSM, and the Cisco Catalyst 3750 Integrated Wireless LAN Controllers. Cisco 4100, 2100, and 2000 series WLCs are not affected by this vulnerability.
Note: Customers requiring FIPS compliance with Release 4.1.185.10 are not at risk to the vulnerabilities listed in this advisory:
CSCsq44516 and CSCsm82364—Cisco WLAN Controller FIPS compliance prohibits Webauth functionality from being enabled. Devices not configured for Webauth are not effected by these vulnerabilities.
CSCso60979—Release 4.1.185.10 is not affected by this vulnerability.
Privilege Escalation Vulnerability
A privilege escalation vulnerability exists only in WLC software version 4.2.173.0, and could allow a restricted user (i.e., Lobby Admin) to gain full administrative rights on the affected system.
Note: Wireless network users are not affected by this vulnerability.
This vulnerability is documented in Cisco Bug ID CSCsv62283 ( registered customers only) and has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-0062.
-
CSCsq44516
(
registered customers only)
- CVE-2009-0058
-
There are no workarounds for any of these vulnerabilities.
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
Vulnerability/ Bug ID
Affected Release
First Fixed Version
Recommended Release
CSCsq44516
3.2
3.2.215.0
3.2.215.0
4.1
Migrate to 4.2
4.2.176.0
4.1M
Migrate to 5.2 or 4.2M
5.2.178.0 or 4.2M (see note)
4.2
4.2.173.0
4.2.176.0
5.0
Migrate to 5.2
5.2.178.0
5.1
5.1.163.0
5.1.163.0
5.2
Not vulnerable
Not Vulnerable
CSCsm82364
3.2
3.2.215.0
3.2.215.0
4.1
Migrate to 4.2
4.2.176.0
4.1M
Migrate to 5.2 or 4.2M
5.2.178.0 or 4.2M (see note)
4.2
4.2.112.0
4.2.176.0
5.0
Not vulnerable
Not vulnerable
5.1
Not vulnerable
Not vulnerable
5.2
Not vulnerable
Not vulnerable
CSCso60979
3.2
3.2.215.0
3.2.215.0
4.1
4.1.185.10
4.2.176.0
4.1 M
Migrate to 5.2 or 4.2M
5.2.178.0 or 4.2M (see note)
4.2
4.2.117.0
4.2.176.0
5.0
Migrate to 5.2
5.2.178.0
5.1
Not vulnerable
Not vulnerable
5.2
Not vulnerable
Not vulnerable
CSCsv62283
3.2
Not vulnerable
Not vulnerable
4.1
Not vulnerable
Not vulnerable
4.1M
Not vulnerable
Not vulnerable
4.2
4.2.174.0
4.2.176.0
5.0
Not Vulnerable
Not Vulnerable
5.1
Not Vulnerable
Not vulnerable
5.2
Not Vulnerable
Not vulnerable
Note: Customers running 4.1M (Mesh) should migrate as follows:
-
If using AP1505/AP1510, migrate to 4.2M (targeted for
2HCY09).
-
If using AP1520 or indoor mesh, migrate to
5.2.178.0.
-
If using AP1505/AP1510, migrate to 4.2M (targeted for
2HCY09).
-
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were found during internal testing and during the resolution of customer support cases.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.3
2009-October-15
Added information about WLC release 3.2 in the Software Versions and Fixes table.
Revision 1.2
2009-March-11
Added 4.1M release and revised information for 5.0 and 5.2 releases in the Software Versions and Fixes table.
Revision 1.1
2009-February-11
Update with additional FIPS information.
Revision 1.0
2009-February-04
Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.