Recent Cisco Access-Point & Wireless LAN Controller Vulnerabilities
by Robinson Roca
Practice Leader – Network Infrastructure
Helient strives to keep abreast and informed of vulnerabilities that can cause issues that impact our clients’ infrastructure. As you know, vulnerabilities are discovered every day, but because Helient keeps such a close relationship with our clients and their environments, we are sensitive to the pains they can feel and stay vigilant to what can harm them most. When vulnerabilities are released, they can sometimes be difficult to understand, and a hard to understand vulnerability warning isn’t worth a thing if you can’t glean what’s needed to protect yourself. Below you will find clear and easy to understand meanings to the recently announced Cisco Aironet vulnerabilities.
Several CVE (Common Vulnerability and Exposure) reports were published yesterday on a few Cisco Aironet Wireless Access-Points and the Cisco Wireless LAN controller. The CVEs are based around the various communication methods the APs use.
Below we’ve included the CVE designation, Cisco’s Bug ID, which Cisco uses to keep track of various bugs, a link to Cisco’s webpage describing the vulnerability and the CVSS (Common Vulnerability Scoring System) Score. The Common Vulnerability Scoring System is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS tries to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat. A score of 0.0 receives a “None” rating; a 0.1 – 3.9 score gets a “Low” severity rating; a score of 4.0 – 6.9 is a “Medium” rating; score of 7.0 – 8.9 is a “High” rating; and a score of 9.0 – 10.0 is a “Critical” rating. These scores help to better define the severity of these vulnerabilities.
CVE-2019-15260
Cisco Bug ID: CSCvm54888
CVSS Score: Base 9.8
The typical vulnerability where there is insufficient access controls on specific on-board management URLs. Essentially a mistake in code allows a user to access specific on board URLs which can allow the attacker to execute specific commands. The exploit could allow an attacker access with elevated privileges to the AP. A user with elevated privileges due to the CVE can cause any number of DoS (Denial of Service) attacks to the Access-Point itself, thereby potentially affecting users connecting to the AP.
This impacts the following Cisco access-Points:
- Aironet 1540 Series APs
- Aironet 1560 Series APs
- Aironet 1800 Series APs
- Aironet 2800 Series APs
- Aironet 3800 Series APs
- Aironet 4800 APs
CVE-2019-15262
Cisco Bug ID: CSCvp34148
CVSS Score: Base 8.6
This vulnerability is especially nasty, as it can affect all users on all access-points connected to a Vulnerable Cisco Wireless LAN controller. This exploit takes advantage of a mistake in code where SSH sessions are not properly deleted in memory after an SSH session is disconnected. An attacker could continuously open SSH sessions until system resources are exhausted, causing a Denial of Service against the WLC. Depending on the configuration of the Wireless infrastructure, APs in Flex connect mode may not experience an outage as they can withstand a temporary loss of the controller, with caveats of course.
This vulnerability affects Cisco WLC Software releases 8.5.140.0 and earlier.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-wlc-ssh-dos
CVE-2019-15261
Cisco BUG ID: CSCvk79807
CVSS Score: Base 8.6
This particular vulnerability is especially scary, as it could potentially cause your IT staff headaches when access Points randomly reload. This vulnerability has to do with the way the AP processes VPN packets as they pass through the data plane of the AP. When a PPTP connection is made to a PPTP server, and malicious GRE packets are passed through the PPTP connection, the Access-Point will read those malicious GRE packets and cause an internal process on the AP to crash, thereby causing the AP to automatically reload to clear the crashed process.
As of today, this affects the following access-Points:
- Aironet 1810 Series APs
- Aironet 1830 Series APs
- Aironet 1850 Series APs
CVE-2019-15264
Cisco Bug ID: CSCvo40697
CVSS Score: Base 7.4
This Vulnerability is very specific to the Cisco 9100 Access-Point. Typically Access-Point use a “VPN Tunnel” of sorts when connecting to their associated wireless LAN controller. They do this to tunnel and protect data as it passes through the wired network back to the wireless LAN controller. The Tunnel is also used for control plan traffic to and from the AP. The Vulnerability is due to the improper resource management during CAPWAP message processing. Essentially, an attacker can send a high volume of access-point management frames to the AP within a short period of time and cause a reload of the AP. This of course would cause a Denial of Service as the AP is reloading.
If you have any questions or need assistance with remediation, please contact us at service@helient.com.