Lucene search

HistoryOct 18, 2016 - 12:00 a.m.

Cisco Wireless LAN Controller Multiple Vulnerabilities

2016-10-1800:00:00

www.tenable.com

6.1 Medium

CVSS2

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:A/AC:L/Au:N/C:N/I:N/A:C

6.5 Medium

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.004 Low

EPSS

Percentile

75.1%

JSON

According to its self-reported version, the remote Cisco Wireless LAN Controller (WLC) device is affected by multiple vulnerabilities :

A denial of service vulnerability exists in the traffic streams metrics (TSM) implementation using Inter-Access Point Protocol (IAPP). An unauthenticated, adjacent attacker can exploit this to cause a device restart by sending specially crafted IAPP packets which are subsequently followed by an SNMP request for TSM information. (CVE-2016-6375)
A denial of service vulnerability exists in the Cisco Adaptive Wireless Intrusion Prevention System (wIPS) implementation due to improper validation of wIPS packets. An unauthenticated, adjacent attacker can exploit this, via specially crafted wIPS packets, to cause the device to restart. (CVE-2016-6376)

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(94108);
  script_version("1.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/08/20");

  script_cve_id(
    "CVE-2016-6375",
    "CVE-2016-6376"
  );
  script_bugtraq_id(
    92712,
    92716
  );
  script_xref(name:"CISCO-SA", value:"cisco-sa-20160831-wlc-1");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20160831-wlc-2");
  script_xref(name:"CISCO-BUG-ID", value:"CSCuz40221");
  script_xref(name:"CISCO-BUG-ID", value:"CSCuz40263");

  script_name(english:"Cisco Wireless LAN Controller Multiple Vulnerabilities");
  script_summary(english:"Checks the WLC version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing vendor-supplied security patches.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the remote Cisco Wireless LAN
Controller (WLC) device is affected by multiple vulnerabilities :

  - A denial of service vulnerability exists in the traffic
    streams metrics (TSM) implementation using Inter-Access
    Point Protocol (IAPP). An unauthenticated, adjacent
    attacker can exploit this to cause a device restart by
    sending specially crafted IAPP packets which are
    subsequently followed by an SNMP request for TSM
    information. (CVE-2016-6375)

  - A denial of service vulnerability exists in the Cisco
    Adaptive Wireless Intrusion Prevention System (wIPS)
    implementation due to improper validation of wIPS
    packets. An unauthenticated, adjacent attacker can
    exploit this, via specially crafted wIPS packets, to
    cause the device to restart. (CVE-2016-6376)");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160831-wlc-1
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?470657bf");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160831-wlc-2
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1a4df7fe");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant patches referenced in Cisco bug ID CSCuz40221 and
CSCuz40263.");
  script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/08/31");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/08/31");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/10/18");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:wireless_lan_controller_software");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:cisco:wireless_lan_controller");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2016-2020 Tenable Network Security, Inc.");

  script_dependencies("cisco_wlc_version.nasl");
  script_require_keys("Host/Cisco/WLC/Version", "Host/Cisco/WLC/Port");

  exit(0);
}

include("audit.inc");
include("cisco_func.inc");

version = get_kb_item_or_exit("Host/Cisco/WLC/Version");
port = get_kb_item_or_exit("Host/Cisco/WLC/Port");

device = "Cisco Wireless LAN Controller";
model = get_kb_item("Host/Cisco/WLC/Model");
if (!empty_or_null(model))
  device += " " + model;
fix = "";

# 6.x, 7.x, 8.0.x < 8.0.140.0
if (
  version =~ "^[67]\." ||
  version =~ "^8\.0($|[^\.0-9])" ||
  version =~ "^8\.0\.([0-9]|[0-9][0-9]|1[0-3][0-9])($|[^0-9])"
)
  fix = "Upgrade to 8.0(140.0) or later.";

# 8.1 or 8.2.x < 8.2.121.0
if (
  version =~ "^8\.[12]($|[^\.0-9])" ||
  version =~ "^8\.2\.([0-9]|[0-9][0-9]|1[01][0-9]|120)($|[^0-9])"
)
  fix = "Upgrade to 8.2(121.0) or later.";

# 8.3.x < 8.3.102.0
if (
  version =~ "^8\.3($|[^\.0-9])" ||
  version =~ "^8\.3\.([0-9]|[0-9][0-9]|10[01])($|[^0-9])"
)
  fix = "Upgrade to 8.3(102.0) or later.";

if (!fix) audit(AUDIT_DEVICE_NOT_VULN, device, version);

order = make_list("Device", "Installed version", "Fixed version");
report = make_array(
  order[0], device,
  order[1], version,
  order[2], fix
);
report = report_items_str(report_items:report, ordered_fields:order);

security_report_v4(port:port, severity:SECURITY_WARNING, extra:report);

VendorProductVersionCPE
ciscowireless_lan_controller_softwarecpe:/o:cisco:wireless_lan_controller_software
ciscowireless_lan_controllercpe:/h:cisco:wireless_lan_controller

Vendor	Product	Version	CPE
cisco	wireless_lan_controller_software		cpe:/o:cisco:wireless_lan_controller_software
cisco	wireless_lan_controller		cpe:/h:cisco:wireless_lan_controller

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6375

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6376

www.nessus.org/u?1a4df7fe

www.nessus.org/u?470657bf

6.1 Medium

CVSS2

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:A/AC:L/Au:N/C:N/I:N/A:C

6.5 Medium

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.004 Low

EPSS

Percentile

75.1%

JSON

Related for CISCO-SA-20160831-WLC.NASL