Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Cisco Security Advisory

Multiple Vulnerabilities in Cisco Wireless LAN Controllers

Advisory ID: cisco-sa-20140305-wlc

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140305-wlc

Revision 1.0

For Public Release 2014 March 5 16:00  UTC (GMT)


Summary

The Cisco Wireless LAN Controller (WLC) product family is affected by the following vulnerabilities:

  • Cisco Wireless LAN Controller Denial of Service Vulnerability
  • Cisco Wireless LAN Controller Unauthorized Access to Associated Access Points Vulnerability
  • Cisco Wireless LAN Controller IGMP Version 3 Denial of Service Vulnerability
  • Cisco Wireless LAN Controller MLDv2 Denial of Service Vulnerability
  • Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability
  • Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability

Cisco has released free software updates that address these vulnerabilities.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140305-wlc

Affected Products

The Cisco WLC product family is affected by multiple vulnerabilities. Affected versions of Cisco WLC Software vary depending on the specific vulnerability.

Vulnerable Products

For specific version information, see the "Software Versions and Fixes" section of this advisory. 
At least one of the vulnerabilities covered in this security advisory affects each of the following products:

Stand Alone Controllers

  • Cisco 500 Series Wireless Express Mobility Controllers
  • Cisco 2000 Series Wireless LAN Controllers
  • Cisco 2100 Series Wireless LAN Controllers
  • Cisco 2500 Series Wireless Controllers
  • Cisco 4100 Series Wireless LAN Controllers
  • Cisco 4400 Series Wireless LAN Controllers
  • Cisco 5500 Series Wireless Controllers
  • Cisco Flex 7500 Series Wireless Controllers
  • Cisco 8500 Series Wireless Controllers
  • Cisco Virtual Wireless Controller

Modular Controllers

  • Cisco Catalyst 6500 Series/7600 Series Wireless Services Module (Cisco WiSM)
  • Cisco Wireless Services Module version 2 (WiSM2)
  • Cisco NME-AIR-WLC Module for Integrated Services Routers (ISRs)
  • Cisco NM-AIR-WLC Module for Integrated Services Routers (ISRs)
  • Cisco Catalyst 3750G Integrated WLC
  • Cisco Wireless Controller Software for Services-Ready Engine (SRE) *
* Covers the Integrated Services Module 300 and Cisco Services-Ready Engine 700, 710, 900, and 910 products.

Note: The Cisco 2000 Series WLC, Cisco 4100 Series WLC, Cisco NM-AIR-WLC, and Cisco 500 Series Wireless Express Mobility Controllers, have reached end-of-software maintenance. The following table includes the end-of-life document URL for each model:


Model

End of Life Document URL

Cisco 2000 Series WLC

http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps6308/prod_end-of-life_notice0900aecd805d22b0.html

Cisco NM-AIR-WLC Modules for ISR

http://www.cisco.com/en/US/prod/collateral/modules/ps2797/prod_end-of-life_notice0900aecd806aeb34.html

Cisco 500 Series Wireless Express Mobility Controllers

http://www.cisco.com/en/US/prod/collateral/wireless/ps7306/ps7320/ps7339/end_of_life_c51-568040.html

To determine the Cisco WLC Software version that is running in a given environment, use one of the following methods:

In the web interface, choose the Monitor tab, click Summary in the left pane, and note the Software Version field.

In the command-line interface, issue the show sysinfo command as shown in the following example:
(Cisco Controller)> show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.4.121.0
Bootloader Version............................... 1.0.16
Field Recovery Image Version..................... 7.0.112.21
Firmware Version................................. FPGA 1.7, Env 1.8, USB console 2.2

Cisco Wireless LAN Controller Denial of Service Vulnerability

To determine if the WebAuth feature has been enabled issue the show wlan <X> command (X=wlan ID) for each of the configured wireless networks.  The following example shows the feature enabled:
Web Based Authentication...................... Enabled

Cisco Wireless LAN Controller IGMP Version 3 Denial of Service Vulnerability

To determine if the IGMPv3 feature has been enabled issue the show network summary command. The following example shoes the feature enabled:
IGMP snooping............................... Enabled

Cisco Wireless LAN Controller MLDv2 Denial of Service Vulnerability

To determine if the MLDv2 feature has been enabled issue the show network summary command. The following example shows the feature enabled:
MLD snooping............................... Enabled

Summary Table:

4.x 5.x 6.x 7.0 7.1 7.2 7.3 7.4 7.5 7.6 
Cisco Wireless LAN Controller Denial of Service Vulnerability
CVE-2014-0701
X  X  X  X  
Cisco Wireless LAN Controller Unauthorized Access to Associated Access Points Vulnerability
CVE-2014-0703
 X  
Cisco Wireless LAN Controller IGMP Version 3 Denial of Service Vulnerability
CVE-2014-0704
X X X X X  X  X  X  
Cisco Wireless LAN Controller MLDv2 Denial of Service Vulnerability
CVE-2014-0705
 X  X  X X  
Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability
CVE-2014-0706
 X  X  X
 
Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability
CVE-2014-0707
 X  X  X
 
Recommended Release Migrate Migrate Migrate 7.0.250.0 Migrate Migrate Migrate 7.4.121.0
Migrate 7.6.100.0

Products Confirmed Not Vulnerable

The following IOS-XE based Wireless Controllers are not affected:

Cisco 5700 Series Wireless Controllers
Cisco 3600 Series Wireless Controllers
Cisco 3800 Series Wireless Controllers

No other Cisco products are currently known to be affected by these vulnerabilities.

Details

The Cisco WLCs and Cisco WiSMs are responsible for system-wide wireless LAN functionality, including security policies, intrusion prevention, RF management, quality of service (QoS), and mobility. These devices communicate with controller-based access points over any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the Lightweight Access Point Protocol (LWAPP) and the Control and Provisioning of Wireless Access Points (CAPWAP) protocol.

The Cisco WLC family of devices is affected by the following vulnerabilities:

Cisco Wireless LAN Controller Denial of Service Vulnerability

A vulnerability in the WebAuth feature of Cisco Wireless LAN Controllers (WLC) could allow an unauthenticated, remote attacker to cause the device to reload.

The vulnerability is due to a failure to deallocate memory used during the processing of a WebAuth login. An attacker could exploit this vulnerability by creating a large number of WebAuth requests at a high rate and leave them in an uncompleted state. An exploit could allow the attacker to consume all available memory on the device. This causes a watchdog process to restart the WLC, resulting in a denial of service (DoS) while the device reboots.

The WebAuth feature must be enabled and configured for a device to be affected by this vulnerability. This feature is disabled by default.

This vulnerability is documented by Cisco bug ID CSCuf52361 (registered customers only) and has been assigned CVE ID CVE-2014-0701.

Cisco Wireless LAN Controller Unauthorized Access to Associated Access Points Vulnerability

A vulnerability in the Cisco IOS code that is pushed to Cisco Aironet 1260, 2600, 3500, and 3600 Series access points (AP) by a Cisco Wireless LAN Controller (WLC) could allow an unauthenticated, remote attacker to gain unauthorized, privileged access to the affected device.

The vulnerability is due to a race condition that could result in the administrative HTTP server of an affected access point being enabled even though it is explicitly disabled by an administrator. An attacker could exploit this vulnerability by attempting to authenticate to an affected device using locally-stored credentials of the AP. A successful attack could allow an attacker to take complete control of the affected AP and make arbitrary changes to the configuration.

In many deployment scenarios, the locally-stored default AP username and password has not been changed from the factory default. In these zero-touch scenarios, the devices are designed to connect automatically to a WLC and download firmware and configurations.

This vulnerability is documented in Cisco bug ID CSCuf66202 (registered customers only) and has been assigned CVE ID CVE-2014-0703.

Cisco Wireless LAN Controller IGMP Version 3 Denial of Service Vulnerability

A vulnerability in the IGMP processing subsystem of Cisco Wireless LAN Controllers (WLC) could allow an unauthenticated, remote attacker to cause a DoS condition.

The vulnerability is due to improper validation of a specific field in certain IGMP message types. When messages are processed, the IGMP subsystem may perform a memory over-read. When subsequent processing is performed on the extraneous data an error may occur that results in a reload of the device. An attacker could exploit this vulnerability by injecting a malicious IGMP version 3 message onto the network that will be received and processed by an affected WLC. An exploit could allow the attacker to trigger a critical error on the WLC, resulting in a DoS condition while the device restarts.

The IGMPv3 Snooping feature is disabled by default and must be explicitly configured by an administrator for a device to be vulnerable.

This vulnerability is documented in Cisco bug ID CSCuh33240 (registered customers only) and has been assigned CVE ID CVE-2014-0704.

Cisco Wireless LAN Controller MLDv2 Denial of Service Vulnerability

A vulnerability in the multicast listener discovery (MLD) service of a Cisco WLC configured for IPv6 could allow an unauthenticated, remote attacker to cause a denial of service condition.

The vulnerability is due to a failure to properly parse malformed MLD version 2 messages. An attacker could exploit this vulnerability by submitting a malformed MLDv2 packet to a multicast-enabled network that the Cisco WLC is listening for. An exploit could allow the attacker to trigger a critical error on the WLC, resulting in a DoS condition while the device restarts.

The MLDv2 Snooping feature is disabled by default and must be explicitly configured by an administrator for a device to be vulnerable.

This vulnerability is documented in Cisco bug ID CSCuh74233 (registered customers only) and has been assigned CVE ID CVE-2014-0705.

Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability

A vulnerability in the Cisco WLC could allow an unauthenticated, remote attacker to trigger a critical error, resulting in a DoS condition while the device restarts.

This vulnerability is due to a failure to correctly process an Ethernet 802.11 frame. An attacker could exploit this vulnerability by sending a specially crafted Ethernet 802.11 frame. Repeated exploitation may result in a sustained DoS condition.

This vulnerability is documented in Cisco bug ID CSCue87929 (registered customers only) and has been assigned CVE ID CVE-2014-0706.

Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability

A vulnerability in the Cisco WLC could allow an unauthenticated, remote attacker to trigger a critical error, resulting in a DoS condition while the device restarts.

This vulnerability is due to a failure to correctly process an Ethernet 802.11 frame. An attacker could exploit this vulnerability by sending a specially crafted Ethernet 802.11 frame. Repeated exploitation may result in a sustained DoS condition.

This vulnerability is documented in Cisco bug ID CSCuf80681 (registered customers only) and has been assigned CVE ID CVE-2014-0707

Vulnerability Scoring Details

Cisco has scored the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response.

Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks.

Cisco has provided additional information regarding CVSS at the following link:

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link:

http://intellishield.cisco.com/security/alertmanager/cvss




Cisco Wireless LAN Controller Denial of Service Vulnerability - CSCuf52361

Calculate the environmental score of CSCuf52361

CVSS Base Score - 7.8

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Low

None

None

None

Complete

CVSS Temporal Score - 6.4

Exploitability

Remediation Level

Report Confidence

Functional

Official-Fix

Confirmed





Cisco Wireless LAN Controller Unauthorized Access to Associated Access Points Vulnerability - CSCuf66202

Calculate the environmental score of CSCuf66202

CVSS Base Score - 10.0

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Low

None

Complete

Complete

Complete

CVSS Temporal Score - 8.7

Exploitability

Remediation Level

Report Confidence

High

Official-Fix

Confirmed





Cisco Wireless LAN Controller IGMP Version 3 Denial of Service Vulnerability - CSCuh33240

Calculate the environmental score of CSCuh33240

CVSS Base Score - 7.8

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Low

None

None

None

Complete

CVSS Temporal Score - 6.4

Exploitability

Remediation Level

Report Confidence

Functional

Official-Fix

Confirmed





Cisco Wireless LAN Controller MLDv2 Denial of Service Vulnerability - CSCuh74233

Calculate the environmental score of CSCuh74233

CVSS Base Score - 7.1

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Medium

None

None

None

Complete

CVSS Temporal Score - 5.9

Exploitability

Remediation Level

Report Confidence

Functional

Official-Fix

Confirmed





Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability - CSCue87929

Calculate the environmental score of CSCue87929

CVSS Base Score - 7.8

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Low

None

None

None

Complete

CVSS Temporal Score - 6.4

Exploitability

Remediation Level

Report Confidence

Functional

Official-Fix

Confirmed





Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability - CSCuf80681

Calculate the environmental score of CSCuf80681

CVSS Base Score - 7.8

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Low

None

None

None

Complete

CVSS Temporal Score - 6.4

Exploitability

Remediation Level

Report Confidence

Functional

Official-Fix

Confirmed


Impact

Successful exploitation of the Cisco Wireless LAN Controller Denial of Service Vulnerability, Cisco Wireless LAN Controller IGMP Version 3 Denial of Service Vulnerability, or Cisco Wireless LAN Controller MLDv2 Denial of Service Vulnerability could allow an unauthenticated, remote attacker to cause an affected device to reload. Repeated exploitation could result in a sustained DoS Condition.

Successful exploitation of the Cisco Wireless LAN Controller Unauthorized Access to Associated Access Points Vulnerability could allow an unauthenticated, remote attacker to take complete control of an AP that has been associated to an affected Cisco WLC.

Successful exploitation of either of the vulnerabilities identified as Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability could allow an unauthenticated, adjacent attacker to cause an affected device to reload.

Software Versions and Fixes

When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

 Cisco Wireless LAN Controller Denial of Service Vulnerability
 Affected Release  First Fixed Recommended
 7.0  7.0.250.0 7.0.250.0 or 7.4.121.0*
 7.2  N/A Migrate to 7.4.121.0 or 7.6.100.0
 7.3
 N/A Migrate to 7.4.121.0 or 7.6.100.0
 7.4  7.4.110.0 7.4.121.0
* 4400/WiSM1/3750/2000 controllers can not upgrade beyond 7.0 code

 Cisco Wireless LAN Controller Unauthorized Access to Associated Access Points Vulnerability
 Affected Release First Fixed Recommended
 7.4 7.4.110.0 7.4.121.0

 Cisco Wireless LAN Controller IGMP Version 3 Denial of Service Vulnerability
 Affected Release First Fixed Recommended
4.x N/A Migrate to 7.0.250.0
5.x N/A Migrate to 7.0.250.0
6.x N/A Migrate to 7.0.250.0
7.0 7.0.250.0 Migrate to 7.0.250.0 or 7.4.121.0*
7.1 N/A Migrate to 7.4.121.0 or 7.6.100.0
7.2 N/A Migrate to 7.4.121.0 or 7.6.100.0
7.3 N/A Migrate to 7.4.121.0 or 7.6.100.0
* 4400/WiSM1/3750/2000 controllers can not upgrade beyond 7.0 code

 Cisco Wireless LAN Controller MLDv2 Denial of Service Vulnerability
 Affected Release  First Fixed Recommended
7.2 N/A Migrate to 7.4.121.0 or 7.6.100.0
7.3 N/A Migrate to 7.4.121.0 or 7.6.100.0
7.4 7.4.121.0 Migrate to 7.4.121.0
7.5
N/A Migrate to 7.4.121.0 or 7.6.100.0

Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability
CVE-2014-0706
 Affected Release  First Fixed Recommended
 7.2  7.2.115.2 Migrate to 7.4.121.0 or 7.6.100.0
 7.3
 N/A Migrate to 7.4.121.0 or 7.6.100.0
 7.4  7.4.110.0 7.4.121.0

Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability
CVE-2014-0707
 Affected Release  First Fixed Recommended
 7.2  N/A Migrate to 7.4.121.0 or 7.6.100.0
 7.3
 N/A Migrate to 7.4.121.0 or 7.6.100.0
 7.4  7.4.110.0 7.4.121.0


Workarounds

Cisco Wireless LAN Controller Unauthorized Access to Associated Access Points Vulnerability

Administrators may mitigate this issue by configuring Global AP Management Credentials on the affected device. This will disable the defaults and help ensure that unauthorized parties are unable to access the AP via the HTTP interface.

There are no on-device workarounds that mitigate the other vulnerabilities detailed in this document

Mitigation information for the vulnerability described in this advisory is available in the companion Applied Mitigation Bulletin (AMB) at the following location: Identifying and Mitigating Exploitation of Multiple Vulnerabilities in Cisco Wireless LAN Controllers

Obtaining Fixed Software

Cisco has released free software updates that address the vulnerability described in this advisory. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments.

Customers may only install and expect support for feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html.

Customers with Service Contracts

Customers with contracts should obtain upgraded software through their regular update channels. For most customers, upgrades should be obtained through the Software Navigator on Cisco.com at http://www.cisco.com/cisco/software/navigator.html.

Customers Using Third-Party Support Organizations

Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action.

The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed.

Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC):

  • +1 800 553 2447 (toll free from within North America)
  • +1 408 526 7209 (toll call from anywhere in the world)
  • e-mail: tac@cisco.com

Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC.

Refer to Cisco Worldwide Contacts at http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, instructions, and e-mail addresses for support in various languages.

Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.

Cisco Wireless LAN Controller Denial of Service Vulnerability, Cisco Wireless LAN Controller MLDv2 Denial of Service Vulnerability, and Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability where discovered during internal testing and have not been found in customer deployments.

Cisco Wireless LAN Controller Unauthorized Access to Associated Access Points Vulnerability, Cisco Wireless LAN Controller IGMP Version 3 Denial of Service Vulnerability, and Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability were discovered by the Cisco TAC while investigating customer issues.

Status of This Notice: Final

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.


Distribution

This advisory is posted on Cisco Security Intelligence Operations at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140305-wlc

Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses:

  • cust-security-announce@cisco.com
  • first-bulletins@lists.first.org
  • bugtraq@securityfocus.com
  • vulnwatch@vulnwatch.org
  • cisco@spot.colorado.edu
  • cisco-nsp@puck.nether.net
  • full-disclosure@lists.grok.org.uk

Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates.


Revision History

Revision 1.0 2014-March-05 Initial public release.

Cisco Security Procedures

Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html. This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at http://www.cisco.com/go/psirt.


Download this document (PDF)
View Printable Version