Cisco Aironet Access Points Plagued By Critical, High-Severity Flaws

Cisco Systems has released a security update stomping out critical and high-severity flaws impacting its Aironet access points, which are entry-level wireless access points (APs) used by mid-size enterprises in their offices or small warehouses.

It also issued a slew of additional patches addressing other flaws in its products.

The most severe of the AP bugs is a critical glitch that could allow unauthenticated, remote attackers to gain unauthorized access to targeted devices – giving them elevated privileges such as the ability to view sensitive data and tamper with the device configuration. The flaw exists in Cisco’s software that powers the Aironet networking APs, which allow other Wi-Fi devices to connect to a wired network.

“An exploit could allow the attacker to gain access to the device with elevated privileges,” said Cisco in a Wednesday advisory. “While the attacker would not be granted access to all possible configuration options, it could allow the attacker to view sensitive information and replace some options with values of their choosing, including wireless network configuration. It would also allow the attacker to disable the [access point], creating a denial of service (DoS) condition for clients associated with the [access point].”

The vulnerability (CVE-2019-15260) has a CVSS score of 9.8 out of 10.0, making it critical in severity. The flaw specifically stems from insufficient access control for certain URLs on impacted Aironet devices. An attacker could exploit this vulnerability by requesting specific URLs from an affected AP, using the AP’s web-based configuration management system. Impacted Aironet APs include the 1540, 1560, 1800, 2800, 3800 and 4800 series.

Cisco’s Aironet APs were also impacted by two high-severity vulnerabilities.

One of these stems from a flaw in a processing functionality in Aironet access points that specifically processes “point-to-point tunneling” protocol VPN packets. These are an obsolete method for implementing virtual private networks on devices. The flaw (CVE-2019-15261) could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial-of-service (DoS) condition.

The other high-severity vulnerability (CVE-2019-15264) exists in the “Control and Provisioning of Wireless Access Points” protocol implementation of Cisco Aironet and Catalyst 9100 APs. This standard networking protocol enables a central wireless LAN access controller to manage a collection of wireless APs.

The flaw could allow an unauthenticated, adjacent attacker to cause an affected device to restart unexpectedly, resulting in DoS, according to Cisco.

“The vulnerability is due to improper resource management during [Control and Provisioning of Wireless Access Points] message processing,” according to Cisco. “An attacker could exploit this vulnerability by sending a high volume of legitimate wireless management frames within a short time to an affected device. A successful exploit could allow the attacker to cause a device to restart unexpectedly, resulting in a DoS condition for clients associated with the [APs].”

High-Severity Flaws

Overall, Cisco issued patches for vulnerabilities tied to 41 CVEs on Wednesday, including the critical flaw, 17 high-severity vulnerabilities, and 23 medium severity glitches.

Up to 13 high-severity vulnerabilities were discovered in Cisco’s SPA100 Series Analog Telephone Adapters, which provide analog phones used by small businesses with access to internet phone services. The flaws could enable an authenticated, adjacent attacker to execute arbitrary code with elevated privileges, according to Tenable researchers who discovered them.

The flaws stem from an improper validation of user-supplied input to the web-based management interface of the adapters, which is enabled by default for the devices.

“An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device,” according to Cisco’s advisory. “A successful exploit could allow the attacker to execute arbitrary code with elevated privileges.”

These vulnerabilities affect Cisco SPA112 2-Port Phone Adapter and SPA122 ATA with Router devices that are running firmware releases 1.4.1 SR4 and earlier and that have the web-based management interface enabled, Cisco said. Cisco SPA100 Series Firmware Release 1.4.1SR5 will address these vulnerabilities.

Other high-severity flaws include a DoS flaw (CVE-2019-15262) in Cisco’s Wireless LAN Controller Secure Shell and a cross-site request forgery vulnerability (CVE-2019-12636) in Cisco’s Small Business Smart and Managed Switch lineup.

In September, Cisco released patches for 29 bugs that addressed flaws in a wide range of its products including routers and switches running the IOS XE networking software. Thirteen of the vulnerabilities revealed are rated high severity.

_What are the top cybersecurity issues associated with privileged account access and credential governance? Experts from Thycotic on Oct. 23 will discuss during our upcoming free _Threatpost webinar_, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” _Click here to register.