{"id": "SECURITYVULNS:VULN:10097", "bulletinFamily": "software", "title": "Cisco Wireless LAN Controllers multiple security vulnerabilities", "description": "Buffer overflow on authentication in embedded Web-server, multiple DoS conditions, unauthorized access to some ocnfiguration commands.", "published": "2009-07-27T00:00:00", "modified": "2009-07-27T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10097", "reporter": "FULL-DISCLOSURE", "references": ["https://vulners.com/securityvulns/securityvulns:doc:22216", "https://vulners.com/securityvulns/securityvulns:doc:22221"], "cvelist": ["CVE-2009-1166", "CVE-2009-1165", "CVE-2009-1167", "CVE-2009-1164"], "type": "securityvulns", "lastseen": "2018-08-31T11:09:33", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "a35acc90871d4d171f2f9fd429cba37d"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "d2b6a089b80d2abf0370eae764398b1d"}, {"key": "cvss", "hash": "2bdabeb49c44761f9565717ab0e38165"}, {"key": "description", "hash": "111c774611bd0cf958aba652e7e0e3ed"}, {"key": "href", "hash": "8de788b4b6f493be3b571c83bca888a3"}, {"key": "modified", "hash": "aef5ced60fca3cafe7600b4d5483190c"}, {"key": "published", "hash": "aef5ced60fca3cafe7600b4d5483190c"}, {"key": "references", "hash": "7813da0f9431aa224608bb16789b3269"}, {"key": "reporter", "hash": "d2a97514ec9b1110eb7bab67f7e3c3a9"}, {"key": "title", "hash": "9461646018a991833791798221d78e34"}, {"key": "type", "hash": "d54751dd75af2ea0147b462b3e001cd0"}], "hash": "06c87594a6cde95563f609b96f346b70745b762ad6dbda8b737205b6d60e192e", "viewCount": 5, "enchantments": {"score": {"value": 7.5, "vector": "NONE", "modified": "2018-08-31T11:09:33"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-1165", "CVE-2009-1164", "CVE-2009-1166", "CVE-2009-1167"]}, {"type": "nessus", "idList": ["CISCO-SA-20090727-WLC.NASL"]}, {"type": "cisco", "idList": ["CISCO-SA-20090727-WLC"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22221"]}], "modified": "2018-08-31T11:09:33"}, "vulnersScore": 7.5}, "objectVersion": "1.3", "affectedSoftware": [{"name": "Cisco", "operator": "eq", "version": "4100"}, {"name": "Cisco", "operator": "eq", "version": "4400"}, {"name": "Cisco", "operator": "eq", "version": "1500"}, {"name": "Cisco", "operator": "eq", "version": "2100"}, {"name": "Cisco", "operator": "eq", "version": "2000"}, {"name": "Cisco", "operator": "eq", "version": "4200"}]}

{"cisco": [{"lastseen": "2017-09-26T15:34:10", "bulletinFamily": "software", "description": "", "modified": "2009-07-27T16:00:00", "published": "2009-07-27T16:00:00", "id": "CISCO-SA-20090727-WLC", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090727-wlc", "type": "cisco", "title": "Multiple Vulnerabilities in Cisco Wireless LAN Controllers", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-02-21T01:20:05", "bulletinFamily": "scanner", "description": "The remote Cisco Wireless LAN Controller (WLC) is affected by one or more of the following vulnerabilities:\n\n - Malformed HTTP or HTTPS authentication response Denial of Service (CVE-2009-1164)\n\n - SSH connections Denial of Service (CVE-2009-1165)\n\n - Crafted HTTP or HTTPS request Denial of Service (CVE-2009-1166)\n\n - Crafted HTTP or HTTPS request unauthorized configuration modification vulnerability (CVE-2009-1167)", "modified": "2018-11-15T00:00:00", "id": "CISCO-SA-20090727-WLC.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=70123", "published": "2013-09-25T00:00:00", "title": "Multiple Vulnerabilities in Cisco Wireless LAN Controllers (cisco-sa-20090727-wlc)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(70123);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/11/15 20:50:20\");\n\n script_cve_id(\n \"CVE-2009-1164\",\n \"CVE-2009-1165\",\n \"CVE-2009-1166\",\n \"CVE-2009-1167\"\n );\n script_bugtraq_id(35805, 35817, 35818, 35819);\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSXsx03715\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCsw40789\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCsy27708\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCsy44672\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20090727-wlc\");\n\n script_name(english:\"Multiple Vulnerabilities in Cisco Wireless LAN Controllers (cisco-sa-20090727-wlc)\");\n script_summary(english:\"Checks the WLC version.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote device is missing a vendor-supplied security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote Cisco Wireless LAN Controller (WLC) is affected by one or\nmore of the following vulnerabilities:\n\n - Malformed HTTP or HTTPS authentication response Denial\n of Service (CVE-2009-1164)\n\n - SSH connections Denial of Service (CVE-2009-1165)\n\n - Crafted HTTP or HTTPS request Denial of Service\n (CVE-2009-1166)\n\n - Crafted HTTP or HTTPS request unauthorized configuration\n modification vulnerability (CVE-2009-1167)\"\n );\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090727-wlc\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8d7b9e59\");\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Apply the relevant patch referenced in Cisco Security Advisory\ncisco-sa-20090727-wlc.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(399);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/07/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/07/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/09/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:cisco:wireless_lan_controller_software\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:cisco:wireless_lan_controller\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CISCO\");\n\n script_dependencies(\"cisco_wlc_version.nasl\");\n script_require_keys(\"Host/Cisco/WLC/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"cisco_func.inc\");\n\nversion = get_kb_item_or_exit(\"Host/Cisco/WLC/Version\");\nmodel = get_kb_item_or_exit(\"Host/Cisco/WLC/Model\");\n\nif (\n model !~ \"15\\d\\d\" &&\n model !~ \"20\\d\\d\" &&\n model !~ \"21\\d\\d\" &&\n model !~ \"41\\d\\d\" &&\n model !~ \"42\\d\\d\" &&\n model !~ \"44\\d\\d\"\n) audit(AUDIT_HOST_NOT, \"affected\");\n\nfixed_version = \"\";\nif (version =~ \"^3\\.2\" && ver_compare(ver:version, fix:\"3.2.215.0\") == -1) fixed_version = \"3.2.215.0\";\nelse if (version =~ \"^4\\.1\") fixed_version = \"4.2 or later\";\nelse if (version =~ \"^4\\.1.*M\") fixed_version = \"5.2, 6.0, or 4.2M\";\nelse if (version =~ \"^4\\.2\" && ver_compare(ver:version, fix:\"4.2.205.0\") == -1) fixed_version = \"4.2.205.0\";\nelse if (version =~ \"^5\\.0\") fixed_version = \"5.2 or 6.0\";\nelse if (version =~ \"^5\\.1\") fixed_version = \"5.2 or 6.0\";\nelse if (version =~ \"^5\\.2\" && ver_compare(ver:version, fix:\"5.2.191.0\") == -1) fixed_version = \"5.2.191.0\";\nelse audit(AUDIT_HOST_NOT, \"affected\");\n\nif (report_verbosity > 0)\n{\n report =\n '\\n Model : ' + model +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version +\n '\\n';\n security_hole(port:0, extra:report);\n}\nelse security_hole(0);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:31", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n\r\nCisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN\r\nControllers\r\n\r\nAdvisory ID: cisco-sa-20090727-wlc\r\n\r\nhttp://www.cisco.com/warp/public/707/cisco-sa-20090727-wlc.shtml\r\n\r\nRevision 1.0\r\n\r\nFor Public Release 2009 July 27 1600 UTC (GMT)\r\n\r\n- ---------------------------------------------------------------------\r\n\r\nSummary\r\n\r\nMultiple vulnerabilities exist in the Cisco Wireless LAN Controller\r\n(WLC) platforms. This security advisory outlines the details of the\r\nfollowing vulnerabilities:\r\n\r\n * Malformed HTTP or HTTPS authentication response denial of service\r\n vulnerability\r\n * SSH connections denial of service vulnerability\r\n * Crafted HTTP or HTTPS request denial of service vulnerability\r\n * Crafted HTTP or HTTPS request unauthorized configuration\r\n modification vulnerability\r\n\r\nCisco has released free software updates that address these\r\nvulnerabilities.\r\n\r\nThis advisory is posted at:\r\nhttp://www.cisco.com/warp/public/707/cisco-sa-20090727-wlc.shtml\r\n\r\nAffected Products\r\n=================\r\n\r\nVulnerable Products\r\n+------------------\r\n\r\nCisco 1500 Series, 2000 Series, 2100 Series, 4400 Series, 4100\r\nSeries, 4200 Series, Wireless Services Modules (WiSM), WLC Modules\r\nfor Integrated Services Routers, and Cisco Catalyst 3750G Integrated\r\nWireless LAN Controllers are affected by one or more of the following\r\nvulnerabilities:\r\n\r\n * The malformed HTTP or HTTPS authentication response denial of\r\n service vulnerability affects software versions 4.2 and later.\r\n * The SSH connections denial of service vulnerability affects\r\n software versions 4.1 and later.\r\n * The crafted HTTP or HTTPS request denial of service vulnerability\r\n affects software versions 4.1 and later.\r\n * The crafted HTTP or HTTPS request unauthorized configuration\r\n modification vulnerability affects software versions 4.1 and\r\n later.\r\n\r\nDetermination of Software Versions\r\n+---------------------------------\r\n\r\nTo determine the WLC version that is running in a given environment,\r\nuse one of the following methods:\r\n\r\n * In the web interface, choose the Monitor tab, click Summary in\r\n the left pane, and note the Software Version field.\r\n \r\n Note: Customers who use a WLC Module in an Integrated Services\r\n Router (ISR) will need to issue the service-module\r\n wlan-controller 1/0 session command prior to performing the next\r\n step on the command line. Customers who use a Cisco Catalyst\r\n 3750G Switch with an integrated WLC Module will need to issue the\r\n session <Stack-Member-Number> processor 1 session command prior\r\n to performing the next step on the command line.\r\n \r\n * From the command-line interface, type show sysinfo and note the \r\n Product Version field, as shown in the following example:\r\n\r\n (Cisco Controller) >show sysinfo \r\n \r\n Manufacturer's Name.. Cisco Systems Inc.\r\n Product Name......... Cisco Controller\r\n Product Version...... 5.1.151.0\r\n RTOS Version......... Linux-2.6.10_mvl401\r\n Bootloader Version... 4.0.207.0\r\n Build Type........... DATA + WPS\r\n <output suppressed>\r\n \r\n\r\nUse the show wism module <module number> controller 1 status command\r\non a Cisco Catalyst 6500 Series/7600 Series Switch if you are using a\r\nWiSM. Note the software version as demonstrated in the following\r\nexample, which shows version 5.1.151.0.\r\n\r\n Router#show wism module 3 controller 1 status\r\n \r\n WiSM Controller 1 in Slot 3\r\n Operational Status of the Controller \r\n : Oper-Up\r\n Service VLAN \r\n : 192 \r\n Service Port \r\n : 10 \r\n Service Port Mac Address \r\n : 0011.92ff.8742\r\n Service IP Address \r\n : 192.168.10.1\r\n Management IP Address \r\n : 192.168.1.123\r\n Software Version \r\n : 5.1.151.0\r\n Port Channel Number \r\n : 288 \r\n Allowed vlan list \r\n : 30,40 \r\n Native VLAN ID \r\n : 40 \r\n WCP Keep Alive Missed \r\n : 0\r\n \r\n\r\nProducts Confirmed Not Vulnerable\r\n+--------------------------------\r\n\r\nThe Cisco Wireless Controller 5500 Series is not affected by these\r\nvulnerabilities.\r\n\r\nDetails\r\n=======\r\n\r\nCisco Wireless LAN Controllers (WLCs) are responsible for system-wide\r\nwireless LAN functions, such as security policies, intrusion\r\nprevention, RF management, quality of service (QoS), and mobility.\r\n\r\nThese devices communicate with controller-based access points over\r\nany Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the\r\nLightweight Access Point Protocol (LWAPP).\r\n\r\nThis security advisory describes multiple distinct vulnerabilities in\r\nthe WLC family of devices.\r\n\r\n * Malformed HTTP or HTTPS authentication response denial of service\r\n vulnerability\r\n An attacker with access to the administrative web interface via\r\n HTTP or HTTPS may cause the device to reload by providing a\r\n malformed response to an authentication request.\r\n \r\n Note: The vulnerability can be exploited only via the\r\n administrative web-based interface; Web Authentication features\r\n are not affected.\r\n \r\n \r\n This vulnerability is documented in Cisco Bug ID CSCsx03715 and\r\n has been assigned Common Vulnerabilities and Exposures (CVE) ID\r\n CVE-2009-1164.\r\n\r\n * SSH connections denial of service vulnerability\r\n Affected devices may be susceptible to a memory leak when they\r\n handle SSH management connections. An attacker could use this\r\n behavior to cause an affected device to crash and reload.\r\n \r\n Note: A three-way handshake is not required to exploit this\r\n vulnerability.\r\n \r\n This vulnerability is documented in Cisco Bug ID CSCsw40789 and\r\n has been assigned CVE ID CVE-2009-1165.\r\n\r\n * Crafted HTTP or HTTPS request denial of service vulnerability\r\n An attacker with the ability to send a malicious HTTP request to\r\n an affected WLC could cause the device to crash and reload.\r\n \r\n Note: The vulnerability can be exploited only via the\r\n administrative web-based interface; Web Authentication features\r\n are not affected.\r\n \r\n This vulnerability is documented in Cisco Bug ID CSCsy27708 and\r\n has been assigned CVE ID CVE-2009-1166.\r\n\r\n * Crafted HTTP or HTTPS request unauthorized configuration\r\n modification vulnerability\r\n An unauthorized configuration modification vulnerability exists\r\n in all software versions prior to the first fixed release. A\r\n remote, unauthenticated attacker who can submit HTTP or HTTPS\r\n requests to the WLC directly could gain full control of the\r\n affected device.\r\n \r\n Note: The vulnerability can be exploited only by submitting such\r\n a request to an IP address that is bound to an administrative\r\n interface or VLAN.\r\n \r\n \r\n The vulnerability is documented by Cisco Bug ID CSCsy44672 and has\r\n been assigned CVE ID CVE-2009-1167.\r\n\r\nVulnerability Scoring Details\r\n=============================\r\n\r\nCisco has provided scores for the vulnerabilities in this advisory\r\nbased on the Common Vulnerability Scoring System (CVSS). The CVSS\r\nscoring in this Security Advisory is done in accordance with CVSS\r\nversion 2.0.\r\n\r\nCVSS is a standards-based scoring method that conveys vulnerability\r\nseverity and helps determine urgency and priority of response.\r\n\r\nCisco has provided a base and temporal score. Customers can then\r\ncompute environmental scores to assist in determining the impact of\r\nthe vulnerability in individual networks.\r\n\r\nCisco has provided an FAQ to answer additional questions regarding\r\nCVSS at\r\n\r\nhttp://www.cisco.com/web/about/security/intelligence/cvss-qandas.html\r\n\r\nCisco has also provided a CVSS calculator to help compute the\r\nenvironmental impact for individual networks at\r\n\r\nhttp://intellishield.cisco.com/security/alertmanager/cvss\r\n\r\nCSCsx03715 - Malformed HTTP or HTTPS authentication response denial of\r\nservice vulnerability\r\n+-----------------------------------------------------\r\n\r\nCVSS Base Score - 7.8\r\n\r\n Access Vector - Network\r\n Access Complexity - Low\r\n Authentication - None\r\n Confidentiality Impact - None\r\n Integrity Impact - None\r\n Availability Impact - Complete\r\n\r\nCVSS Temporal Score - 6.4\r\n\r\n Exploitability - Functional\r\n Remediation Level - Official-Fix\r\n Report Confidence - Confirmed\r\n\r\nCSCsw40789 - SSH connections denial of service vulnerability\r\n+-----------------------------------------------------\r\n\r\nCVSS Base Score - 7.8\r\n\r\n Access Vector - Network\r\n Access Complexity - Low\r\n Authentication - None\r\n Confidentiality Impact - None\r\n Integrity Impact - None\r\n Availability Impact - Complete\r\n\r\nCVSS Temporal Score - 6.4\r\n\r\n Exploitability - Functional\r\n Remediation Level - Official-Fix\r\n Report Confidence - Confirmed\r\n\r\nCSCsy27708 - Crafted HTTP or HTTPS request denial of service vulnerability\r\n+-----------------------------------------------------\r\n\r\nCVSS Base Score - 7.8\r\n\r\n Access Vector - Network\r\n Access Complexity - Low\r\n Authentication - None\r\n Confidentiality Impact - None\r\n Integrity Impact - None\r\n Availability Impact - Complete\r\n\r\nCVSS Temporal Score - 6.4\r\n\r\n Exploitability - Functional\r\n Remediation Level - Official-Fix\r\n Report Confidence - Confirmed\r\n\r\nCSCsy44672 - Crafted HTTP or HTTPS request unauthorized configuration\r\nmodification vulnerability\r\n+-----------------------------------------------------\r\n\r\nCVSS Base Score - 10\r\n\r\n Access Vector - Network\r\n Access Complexity - Low\r\n Authentication - None\r\n Confidentiality Impact - Complete\r\n Integrity Impact - Complete\r\n Availability Impact - Complete\r\n\r\nCVSS Temporal Score - 6.4\r\n\r\n Exploitability - Functional\r\n Remediation Level - Official-Fix\r\n Report Confidence - Confirmed\r\n\r\nImpact\r\n=====\r\n\r\nSuccessful exploitation of the denial of service (DoS)\r\nvulnerabilities may cause the affected device to reload. Repeated\r\nexploitation could result in a sustained DoS condition.\r\n\r\nAn unauthenticated, remote attacker may be able to use the\r\nunauthorized configuration modification vulnerability to gain full\r\ncontrol over the Wireless LAN Controller if the attacker is able to\r\nsubmit a crafted request directly to an administrative interface of\r\nthe affected device.\r\n\r\nSoftware Versions and Fixes\r\n===========================\r\n\r\nWhen considering software upgrades, also consult\r\nhttp://www.cisco.comw/go/psirt and any subsequent advisories to\r\ndetermine exposure and a complete upgrade solution.\r\n\r\nIn all cases, customers should exercise caution to be certain the\r\ndevices to be upgraded contain sufficient memory and that current\r\nhardware and software configurations will continue to be supported\r\nproperly by the new release. If the information is not clear, contact\r\nthe Cisco Technical Assistance Center (TAC) or your contracted\r\nmaintenance provider for assistance.\r\n\r\n+------------------------------------------------------+\r\n| Vulnerability/ | Affected | First | Recommended |\r\n| Bug ID | Release | Fixed | Release |\r\n| | | Version | |\r\n|----------------+----------+------------+-------------|\r\n| | 4.1 | Not | Not |\r\n| | | Vulnerable | Vulnerable |\r\n| |----------+------------+-------------|\r\n| | 4.1M | Not | Not |\r\n| | | Vulnerable | Vulnerable |\r\n| |----------+------------+-------------|\r\n| | 4.2 | 4.2.205.0 | 4.2.207.0 |\r\n| |----------+------------+-------------|\r\n| Malformed HTTP | 4.2M | Not | Not |\r\n| or HTTPS | | Vulnerable | Vulnerable |\r\n|authentication |----------+------------+-------------|\r\n| response | | Migrate to | 5.2.193.0 |\r\n| denial of | 5.0 | 5.2 or 6.0 | or |\r\n| service | | | 6.0.182.0 |\r\n|vulnerability |----------+------------+-------------|\r\n| (CSCsx03715) | | Migrate to | 5.2.193.0 |\r\n| | 5.1 | 5.2 or 6.0 | or |\r\n| | | | 6.0.182.0 |\r\n| |----------+------------+-------------|\r\n| | | | 5.2.193.0 |\r\n| | 5.2 | 5.2.178.0 | or |\r\n| | | | 6.0.182.0 |\r\n| |----------+------------+-------------|\r\n| | 6.0 | Not | Not |\r\n| | | Vulnerable | Vulnerable |\r\n|----------------+----------+------------+-------------|\r\n| | 4.1 | Migrate to | 4.2.205.0 |\r\n| | | 4.2 | |\r\n| |----------+------------+-------------|\r\n| | | | 5.2.193.0, |\r\n| | | Migrate to | 6.0.182.0 |\r\n| | 4.1M | 5.2, 6.0, | or |\r\n| | | or 4.2M | 4.2.176.51 |\r\n| | | | Mesh |\r\n| |----------+------------+-------------|\r\n| | 4.2 | 4.2.205.0 | 4.2.207.0 |\r\n| |----------+------------+-------------|\r\n| SSH | 4.2M | Not | Not |\r\n| connections | | Vulnerable | Vulnerable |\r\n|denial of |----------+------------+-------------|\r\n| service | | Migrate to | 5.2.193.0 |\r\n| vulnerability | 5.0 | 5.2 or 6.0 | or |\r\n| (CSCsw40789) | | | 6.0.182.0 |\r\n| |----------+------------+-------------|\r\n| | | | 5.2.193.0 |\r\n| | 5.1 | 5.1.163.0 | or |\r\n| | | | 6.0.182.0 |\r\n| |----------+------------+-------------|\r\n| | | | 5.2.193.0 |\r\n| | 5.2 | 5.2.178.0 | or |\r\n| | | | 6.0.182.0 |\r\n| |----------+------------+-------------|\r\n| | 6.0 | Not | Not |\r\n| | | Vulnerable | Vulnerable |\r\n|----------------+----------+------------+-------------|\r\n| | 4.1 | Migrate to | 4.2.205.0 |\r\n| | | 4.2 | |\r\n| |----------+------------+-------------|\r\n| | | | 5.2.193.0, |\r\n| | | Migrate to | 6.0.182.0 |\r\n| | 4.1 M | 5.2, 6.0, | or |\r\n| | | or 4.2M | 4.2.176.51 |\r\n| | | | Mesh |\r\n| |----------+------------+-------------|\r\n| | 4.2 | 4.2.205.0 | 4.2.207.0 |\r\n| |----------+------------+-------------|\r\n| Crafted HTTP | 4.2M | Not | Not |\r\n| request may | | Vulnerable | Vulnerable |\r\n|cause the WLC |----------+------------+-------------|\r\n| to crash | | Migrate to | 5.2.193.0 |\r\n| (CSCsy27708) | 5.0 | 5.2 or 6.0 | or |\r\n| | | | 6.0.182.0 |\r\n| |----------+------------+-------------|\r\n| | | Migrate to | 5.2.193.0 |\r\n| | 5.1 | 5.2 or 6.0 | or |\r\n| | | | 6.0.182.0 |\r\n| |----------+------------+-------------|\r\n| | | | 5.2.193.0 |\r\n| | 5.2 | 5.2.191.0 | or |\r\n| | | | 6.0.182.0 |\r\n| |----------+------------+-------------|\r\n| | 6.0 | Not | Not |\r\n| | | Vulnerable | Vulnerable |\r\n|----------------+----------+------------+-------------|\r\n| | 4.1 | Migrate to | 4.2.205.0 |\r\n| | | 4.2 | |\r\n| |----------+------------+-------------|\r\n| | | | 5.2.193.0, |\r\n| | | Migrate to | 6.0.182.0 |\r\n| | 4.1M | 5.2, 6.0, | or |\r\n| | | or 4.2M | 4.2.176.51 |\r\n| | | | Mesh |\r\n| |----------+------------+-------------|\r\n| Crafted HTTP | 4.2 | 4.2.205.0 | 4.2.207.0 |\r\n|or HTTPS |----------+------------+-------------|\r\n| request | 4.2M | Not | Not |\r\n| unauthorized | | Vulnerable | Vulnerable |\r\n|configuration |----------+------------+-------------|\r\n| modification | 5.0 | Migrate to | 5.2.193.0, |\r\n| vulnerability | | 5.2 or 6.0 | 6.0.182.0 |\r\n|(CSCsy44672) |----------+------------+-------------|\r\n| | | Migrate to | 5.2.193.0 |\r\n| | 5.1 | 5.2 or 6.0 | or |\r\n| | | | 6.0.182.0 |\r\n| |----------+------------+-------------|\r\n| | | | 5.2.193.0 |\r\n| | 5.2 | 5.2.191.0 | or |\r\n| | | | 6.0.182.0 |\r\n| |----------+------------+-------------|\r\n| | 6.0 | Not | Not |\r\n| | | Vulnerable | Vulnerable |\r\n+------------------------------------------------------+\r\n\r\nWorkarounds\r\n===========\r\n\r\nThe SSH connections denial of service vulnerability identified by\r\nCisco Bug ID CSCsw40789 may be remediated by disabling SSH on the\r\naffected device. This workaround requires subsequent management of\r\nthe device to be performed using the HTTP/HTTPS web management\r\ninterface or the serial console of the device.\r\n\r\nAdditional mitigations that can be deployed on Cisco devices in the\r\nnetwork are available in the Cisco Applied Mitigation Bulletin\r\ncompanion document for this advisory, which is available at the\r\nfollowing link:\r\nhttp://www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml\r\n\r\nObtaining Fixed Software\r\n========================\r\n\r\nCisco has released free software updates that address these\r\nvulnerabilities. Prior to deploying software, customers should\r\nconsult their maintenance provider or check the software for feature\r\nset compatibility and known issues specific to their environment.\r\n\r\nCustomers may only install and expect support for the feature sets\r\nthey have purchased. By installing, downloading, accessing, or\r\notherwise using such software upgrades, customers agree to be bound by\r\nthe terms of Cisco's software license terms found at\r\nhttp://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,\r\nor as otherwise set forth at Cisco.com Downloads at\r\nhttp://www.cisco.com/public/sw-center/sw-usingswc.shtml\r\n\r\nDo not contact psirt@cisco.com or security-alert@cisco.com for\r\nsoftware upgrades.\r\n\r\nCustomers with Service Contracts\r\n================================\r\n\r\nCustomers with contracts should obtain upgraded software through\r\ntheir regular update channels. For most customers, this means that\r\nupgrades should be obtained through the Software Center on Cisco's\r\nworldwide website at http://www.cisco.com.\r\n\r\nCustomers using Third Party Support Organizations\r\n+------------------------------------------------\r\n\r\nCustomers whose Cisco products are provided or maintained through\r\nprior or existing agreements with third-party support organizations,\r\nsuch as Cisco Partners, authorized resellers, or service providers\r\nshould contact that support organization for guidance and assistance\r\nwith the appropriate course of action in regards to this advisory.\r\n\r\nThe effectiveness of any workaround or fix is dependent on specific\r\ncustomer situations, such as product mix, network topology, traffic\r\nbehavior, and organizational mission. Due to the variety of affected\r\nproducts and releases, customers should consult with their service\r\nprovider or support organization to ensure any applied workaround or\r\nfix is the most appropriate for use in the intended network before it\r\nis deployed.\r\n\r\nCustomers without Service Contracts\r\n+----------------------------------\r\n\r\nCustomers who purchase direct from Cisco but do not hold a Cisco\r\nservice contract, and customers who purchase through third-party\r\nvendors but are unsuccessful in obtaining fixed software through\r\ntheir point of sale should acquire upgrades by contacting the Cisco\r\nTechnical Assistance Center (TAC). TAC contacts are as follows.\r\n\r\n * +1 800 553 2447 (toll free from within North America)\r\n * +1 408 526 7209 (toll call from anywhere in the world)\r\n * e-mail: tac@cisco.com\r\n\r\nCustomers should have their product serial number available and be\r\nprepared to give the URL of this notice as evidence of entitlement to\r\na free upgrade. Free upgrades for non-contract customers must be\r\nrequested through the TAC.\r\n\r\nRefer to\r\nhttp://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html\r\nfor additional TAC contact information, including localized telephone\r\nnumbers, and instructions and e-mail addresses for use in various\r\nlanguages.\r\n\r\nExploitation and Public Announcements\r\n=====================================\r\n\r\nThe Cisco PSIRT is not aware of any public announcements or malicious\r\nuse of the vulnerabilities described in this advisory at the time of\r\nrelease.\r\n\r\nThe DoS vulnerability documented by CSCsw40789 was discovered during\r\nthe resolution of customer support cases.\r\n\r\nThe unauthorized configuration modification vulnerability documented\r\nby CSCsy44672 was found during internal testing.\r\n\r\nThe DoS vulnerability documented by CSCsx03715 was discovered by\r\nChristoph Bott of SySS GmbH.\r\n\r\nThe DoS vulnerability documented by CSCsy27708 was discovered by IBM\r\nResearch.\r\n\r\nStatus of this Notice: FINAL\r\n============================\r\nTHIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY\r\nKIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF\r\nMERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE\r\nINFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS\r\nAT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS\r\nDOCUMENT AT ANY TIME.\r\n\r\nA stand-alone copy or Paraphrase of the text of this document that\r\nomits the distribution URL in the following section is an\r\nuncontrolled copy, and may lack important information or contain\r\nfactual errors.\r\n\r\nDistribution\r\n============\r\n\r\nThis advisory is posted on Cisco's worldwide website at :\r\n\r\nhttp://www.cisco.com/warp/public/707/cisco-sa-20090727-wlc.shtml\r\n\r\nIn addition to worldwide web posting, a text version of this notice\r\nis clear-signed with the Cisco PSIRT PGP key and is posted to the\r\nfollowing e-mail and Usenet news recipients.\r\n\r\n * cust-security-announce@cisco.com\r\n * first-bulletins@lists.first.org\r\n * bugtraq@securityfocus.com\r\n * vulnwatch@vulnwatch.org\r\n * cisco@spot.colorado.edu\r\n * cisco-nsp@puck.nether.net\r\n * full-disclosure@lists.grok.org.uk\r\n * comp.dcom.sys.cisco@newsgate.cisco.com\r\n\r\nFuture updates of this advisory, if any, will be placed on Cisco's\r\nworldwide website, but may or may not be actively announced on\r\nmailing lists or newsgroups. Users concerned about this problem are\r\nencouraged to check the above URL for any updates.\r\n\r\nRevision History\r\n================\r\n+---------------------------------------+\r\n| Revision | | Initial |\r\n| 1.0 | 2009-July-27 | public |\r\n| | | release. |\r\n+---------------------------------------+\r\n\r\nCisco Security Procedures \r\n========================= \r\n\r\nComplete information on reporting security vulnerabilities in Cisco\r\nproducts, obtaining assistance with security incidents, and\r\nregistering to receive security information from Cisco, is available\r\non Cisco's worldwide website at\r\nhttp://www.cisco.com/en/US/products/products_security_vulnerability_policy.html\r\nThis includes instructions for press inquiries regarding Cisco\r\nsecurity notices. All Cisco security advisories are available at\r\nhttp://www.cisco.com/go/psirt\r\n\r\n\u00a9 2008 - 2009 Cisco Systems, Inc. All rights reserved.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.5 (Darwin)\r\n\r\niD8DBQFKbdU786n/Gc8U/uARAkG6AKCKI8yrbakylICPezA8Up2E1t372QCePJmj\r\nRTTknUlr0VuKxVZLT0f8+gQ=\r\n=x8Ly\r\n-----END PGP SIGNATURE-----\r\n", "modified": "2009-07-27T00:00:00", "published": "2009-07-27T00:00:00", "id": "SECURITYVULNS:DOC:22221", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22221", "title": "Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2016-09-03T12:15:42", "bulletinFamily": "NVD", "description": "The administrative web interface on the Cisco Wireless LAN Controller (WLC) platform 4.2 before 4.2.205.0 and 5.x before 5.2.178.0, as used in Cisco 1500 Series, 2000 Series, 2100 Series, 4100 Series, 4200 Series, and 4400 Series Wireless Services Modules (WiSM), WLC Modules for Integrated Services Routers, and Catalyst 3750G Integrated Wireless LAN Controllers, allows remote attackers to cause a denial of service (device reload) via a malformed response to a (1) HTTP or (2) HTTPS authentication request, aka Bug ID CSCsx03715.", "modified": "2009-08-07T01:20:43", "published": "2009-07-29T13:30:01", "id": "CVE-2009-1164", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1164", "type": "cve", "title": "CVE-2009-1164", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2016-09-03T12:15:43", "bulletinFamily": "NVD", "description": "The administrative web interface on the Cisco Wireless LAN Controller (WLC) platform 4.x before 4.2.205.0 and 5.x before 5.2.191.0, as used in Cisco 1500 Series, 2000 Series, 2100 Series, 4100 Series, 4200 Series, and 4400 Series Wireless Services Modules (WiSM), WLC Modules for Integrated Services Routers, and Catalyst 3750G Integrated Wireless LAN Controllers, allows remote attackers to cause a denial of service (device reload) via a crafted (1) HTTP or (2) HTTPS request, aka Bug ID CSCsy27708.", "modified": "2009-08-07T01:20:43", "published": "2009-07-29T13:30:01", "id": "CVE-2009-1166", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1166", "title": "CVE-2009-1166", "type": "cve", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2016-09-03T12:15:42", "bulletinFamily": "NVD", "description": "Memory leak on the Cisco Wireless LAN Controller (WLC) platform 4.x before 4.2.205.0, 5.1 before 5.1.163.0, and 5.0 and 5.2 before 5.2.178.0, as used in Cisco 1500 Series, 2000 Series, 2100 Series, 4100 Series, 4200 Series, and 4400 Series Wireless Services Modules (WiSM), WLC Modules for Integrated Services Routers, and Catalyst 3750G Integrated Wireless LAN Controllers, allows remote attackers to cause a denial of service (memory consumption and device reload) via SSH management connections, aka Bug ID CSCsw40789.", "modified": "2009-08-07T01:20:43", "published": "2009-07-29T13:30:01", "id": "CVE-2009-1165", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1165", "type": "cve", "title": "CVE-2009-1165", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2016-09-03T12:15:44", "bulletinFamily": "NVD", "description": "Unspecified vulnerability on the Cisco Wireless LAN Controller (WLC) platform 4.x before 4.2.205.0 and 5.x before 5.2.191.0, as used in Cisco 1500 Series, 2000 Series, 2100 Series, 4100 Series, 4200 Series, and 4400 Series Wireless Services Modules (WiSM), WLC Modules for Integrated Services Routers, and Catalyst 3750G Integrated Wireless LAN Controllers, allows remote attackers to modify the configuration via a crafted (1) HTTP or (2) HTTPS request, aka Bug ID CSCsy44672.", "modified": "2009-08-07T01:20:44", "published": "2009-07-29T13:30:01", "id": "CVE-2009-1167", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1167", "type": "cve", "title": "CVE-2009-1167", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}