Cisco wireless controllers open to attack: Jim Duffy, Network World

Cisco wireless controllers open to attack
Advisory describes seven vulnerabilities with no workarounds
By Jim Duffy on Thu, 09/09/10 - 4:03pm.
Newsletter Signup

Cisco this week issued a security advisory for its wireless LAN controllers, which are susceptible to seven vulnerabilities including denial of service, privilege escalation and access control list bypass. The advisory can be found here.

The affected products include the Cisco 2000, 2100, 4100, 4400 and 5500 series controllers; Wireless Services Modules (WiSMs); wireless LAN controller modules for the Cisco Integrated Services Routers; and integrated controllers for the Catalyst 3750G switch. The products are affected by at least one of the seven vulnerabilities.

There are two DoS vulnerabilities, three privilege vulnerabilities and two ACL bypass holes. The DoS vulnerabilities are an Internet Key Exchange (IKE) DoS Vulnerability and an HTTP DoS Vulnerability.

The IKE glitch allows an attacker with the ability to send a malicious IKE packet to an affected Cisco controller to cause the device to crash and reload. This vulnerability can be exploited from both wired and wireless segments.

IKE is enabled by default in the controllers and cannot be disabled, the Cisco advisory states. Only traffic destined to the Cisco controller could trigger this vulnerability, not transient traffic, according to the advisory.

The IKE DoS vulnerability affects Cisco controller software versions 3.2 and later.

The HTTP hole allows an authenticated attacker with the ability to send a series of malicious HTTP packets to an affected Cisco controller to cause the device to reload. This vulnerability can be exploited from both wired and wireless segments. A TCP three-way handshake is needed in order to exploit this vulnerability, the advisory states.

This vulnerability is also triggered by traffic destined for the controller, not transient traffic.

The HTTP DoS vulnerability affects Cisco controller software versions 4.2 and later.

The three privilege escalation vulnerabilities could allow an authenticated attacker with read-only privileges to modify the device configuration. The privilege escalation vulnerabilities affect Cisco controller software versions 4.2 and later.

The ACL vulnerabilities involve traffic to and from wireless clients or to all traffic destined for the controller CPU. The vulnerabilities could allow an unauthenticated attacker to bypass policies that should be enforced by CPU-based ACLs. No other ACL types are affected by these vulnerabilities, the Cisco advisory states.

One of the two ACL bypass vulnerabilities affects Cisco controller software versions 4.1 and later. The second ACL bypass vulnerability affects Cisco controller software versions 6.0.x.

Cisco says it has released free software updates that address these vulnerabilities. There are no workarounds to mitigate them, the company says. Cisco also says it is not aware of any public announcements or malicious use of the vulnerabilities, which were found during internal testing and troubleshooting of customer service requests.