Multiple Vulnerabilities in Cisco Wireless LAN Controllers

2014-03-05T16:00:00
ID CISCO-SA-20140305-WLC
Type cisco
Reporter Cisco
Modified 2014-03-05T14:39:29

Description

A vulnerability in the Cisco IOS code that is pushed to Cisco Aironet 1260, 2600, 3500, and 3600 Series access points (AP) by a Cisco Wireless LAN Controller (WLC) could allow an unauthenticated, remote attacker to gain unauthorized, privileged access to the affected device.

The vulnerability is due to a race condition that could result in the administrative HTTP server of an affected access point being enabled even though it is explicitly disabled by an administrator. An attacker could exploit this vulnerability by attempting to authenticate to an affected device using locally-stored credentials of the AP. A successful attack could allow an attacker to take complete control of the affected AP and make arbitrary changes to the configuration.

In many deployment scenarios, the locally-stored default AP username and password has not been changed from the factory default. In these zero-touch scenarios, the devices are designed to connect automatically to a WLC and download firmware and configurations.

A vulnerability in the Cisco WLC could allow an unauthenticated, remote attacker to trigger a critical error, resulting in a DoS condition while the device restarts.

This vulnerability is due to a failure to correctly process an Ethernet 802.11 frame. An attacker could exploit this vulnerability by sending a specially crafted Ethernet 802.11 frame. Repeated exploitation may result in a sustained DoS condition.

A vulnerability in the IGMP processing subsystem of Cisco Wireless LAN Controllers (WLC) could allow an unauthenticated, remote attacker to cause a DoS condition.

The vulnerability is due to improper validation of a specific field in certain IGMP message types. When messages are processed, the IGMP subsystem may perform a memory over-read. When subsequent processing is performed on the extraneous data an error may occur that results in a reload of the device. An attacker could exploit this vulnerability by injecting a malicious IGMP version 3 message onto the network that will be received and processed by an affected WLC. An exploit could allow the attacker to trigger a critical error on the WLC, resulting in a DoS condition while the device restarts.

The IGMPv3 Snooping feature is disabled by default and must be explicitly configured by an administrator for a device to be vulnerable.

A vulnerability in the WebAuth feature of Cisco Wireless LAN Controllers (WLC) could allow an unauthenticated, remote attacker to cause the device to reload.

The vulnerability is due to a failure to deallocate memory used during the processing of a WebAuth login. An attacker could exploit this vulnerability by creating a large number of WebAuth requests at a high rate and leave them in an uncompleted state. An exploit could allow the attacker to consume all available memory on the device. This causes a watchdog process to restart the WLC, resulting in a denial of service (DoS) while the device reboots.

The WebAuth feature must be enabled and configured for a device to be affected by this vulnerability. This feature is disabled by default.

A vulnerability in the multicast listener discovery (MLD) service of a Cisco WLC configured for IPv6 could allow an unauthenticated, remote attacker to cause a denial of service condition.

The vulnerability is due to a failure to properly parse malformed MLD version 2 messages. An attacker could exploit this vulnerability by submitting a malformed MLDv2 packet to a multicast-enabled network that the Cisco WLC is listening for. An exploit could allow the attacker to trigger a critical error on the WLC, resulting in a DoS condition while the device restarts.

The MLDv2 Snooping feature is disabled by default and must be explicitly configured by an administrator for a device to be vulnerable.

The Cisco Wireless LAN Controller (WLC) product family is affected by the following vulnerabilities:

Cisco Wireless LAN Controller Denial of Service Vulnerability
Cisco Wireless LAN Controller Unauthorized Access to Associated Access Points Vulnerability
Cisco Wireless LAN Controller IGMP Version 3 Denial of Service Vulnerability
Cisco Wireless LAN Controller MLDv2 Denial of Service Vulnerability
Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability
Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability

Cisco has released software updates that address these vulnerabilities.

This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140305-wlc["http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140305-wlc"]