topic Re: Vulnerability issue in wlc in Network Security

Vulnerability issue in wlc

Leftz — Mon, 25 Apr 2022 19:21:50 GMT

Hi We have wlc. and got the below vulnerability message from tenable. Now I have two questions:

1, in addition to upgrading ios, there is other way to resolve it?

2. We scan all devices all the time, and we did not get the below warning message before, why the below warning message come to up this time scan? can we say scan standard change? Thank you

Cisco Wireless LAN Controller Secure Shell (SSH) Denial of Service Vulnerability (cisco-sa-20191016-wlc-ssh-dos)

According to its self-reported version, Cisco Wireless LAN Controller (WLC) is affected by a denial of service (DoS)

Re: Vulnerability issue in wlc

MHM Cisco World — Mon, 25 Apr 2022 19:24:21 GMT

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp34148 <- check this bug

Re: Vulnerability issue in wlc

Flavio Miranda — Mon, 25 Apr 2022 19:33:21 GMT

"1, in addition to upgrading, there is other way to resolve it?"

Try to keep the WLC in a environment where the management is well controlled. Use a dedicated network for that. Use ACL CPU to allow only a few network or IP address to access the WLC using SSH.

"2. We scan all devices all the time, and we did not get the below warning message before, why the below warning message come to up this time scan? can we say scan standard change? Thank you"

Something has change on the scan software.

DoS is a vulneratiliry that affect any eletronic system in the whole world. I very complicate protect against DoS.

Re: Vulnerability issue in wlc

Leftz — Mon, 25 Apr 2022 20:56:45 GMT

Thanks for your reply.

The below message is from that link MHM provided.

Symptom: A vulnerability in the Secure Shell (SSH) session management for Cisco Wireless LAN Controller (WLC) Software could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to the SSH process not being properly deleted when a remote management connection to the device is disconnected. An attacker could exploit this vulnerability by repeatedly performing a remote management connection to the device and terminating the connection in an unexpected manner. A successful exploit could allow the attacker to cause the SSH processes to fail to delete, which can lead to a system-wide denial of service (DoS) condition.

Please see the highlighted above. Since the vulnerability is caused by improper SSH process, Looks like that the issue might be fixed by some change, do you think so?

Or do we have some commands change can fix this issue? Thanks

Re: Vulnerability issue in wlc

Leo Laohoo — Mon, 25 Apr 2022 23:13:44 GMT

Please refer to Cisco Wireless LAN Controller Secure Shell Denial of Service Vulnerability Security Bulletin.

1. There is no workaround. Software upgrade fixes this security vulnerability.

2. This is a very old Security Bulletin. It was announced in 2019.

Re: Vulnerability issue in wlc

Leftz — Fri, 29 Apr 2022 13:27:56 GMT

@Flavio Miranda

" Try to keep the WLC in a environment where the management is well controlled. Use a dedicated network for that. Use ACL CPU to allow only a few network or IP address to access the WLC using SSH. "

Can you talk a little bit more detail about it? or give an example for it. I am interested in your comment. Thank you!

Re: Vulnerability issue in wlc

Flavio Miranda — Fri, 29 Apr 2022 13:41:16 GMT

Hi, sure thing.

It is not uncommon that companies keep management ip address on the same network as data traffic. But, a good network design must create a separate network for Management only. This network should be allowed only for networks admin. You can have a portal from where the admin can access the clients they will use to access network devices: SSH, Web, etc.

And this well-known network management must be permited on the device with ACL. On Cisco WLC you can configure CPU ACL permiting only a specific network or IP address to send SSH and HTTPS request. The same can be done on switches and router using Console and VTY ACL.

On this management network you can also allow traffic like Netflow, SNMP, Syslog, etc. Everything else, you let out of this network.

those are good practices and not hard to implement.

Re: Vulnerability issue in wlc

Leftz — Fri, 29 Apr 2022 14:11:10 GMT

Thanks Flavio! so after adding ACL etc to the network system, how can we think it is effective? Tenable can tell that?

Re: Vulnerability issue in wlc

Flavio Miranda — Fri, 29 Apr 2022 14:20:24 GMT

Not familiar with Tanable but I believe so. Any Penatration tester out there can ensure you the network is secure, or at least less vulnerable with those action.

Of course, security is layers and layers starting with users and going through techcnologies but from telecom perspective, this action I told , can help for sure.

Re: Vulnerability issue in wlc

Leftz — Fri, 29 Apr 2022 14:29:23 GMT

Thank you all!

Re: Vulnerability issue in wlc

Leftz — Mon, 02 May 2022 18:07:57 GMT

Hi The WLC has three ssid: Corp, BYOD and Guest. If we do CPU ACL to resolve the issue, what traffic should we block? Thanks

Re: Vulnerability issue in wlc

Flavio Miranda — Mon, 02 May 2022 18:27:36 GMT

Nop., ACL CPU only blocks traffic destinated to the WLC itself. It does not block users traffic on the SSID.

Re: Vulnerability issue in wlc

Leftz — Mon, 02 May 2022 18:40:14 GMT

Thanks. but in order to configure CPU ACL, we have to indicate what traffic should be blocked and then associated it with CPU. Is this correct? if this is case, what traffic needs to be defined?

Re: Vulnerability issue in wlc

Flavio Miranda — Mon, 02 May 2022 18:40:17 GMT

Yes correct. But this traffic will come from the Wired network and those traffic must be: Telnet, SSH, SNMP,Netflow, Syslog etc. Management traffic.

Re: Vulnerability issue in wlc

Leftz — Wed, 01 Jun 2022 20:53:39 GMT

@Flavio Miranda We just tried the ACL, but it cannot work, which means we still can get the same scan result as before. Please see below. the Seq 5 and 6 are to permit our accessing to the wlc ip address and block all others. Is there some step wrong? Thanks

Re: Vulnerability issue in wlc

Flavio Miranda — Thu, 02 Jun 2022 10:18:29 GMT

Yes, you did it wrong. This ACL permits everyting to access your WLC on port 443. Please, read this post all over again and see the part I talk about to have a management network from where you should manage your devices, wlc included.

This Access List must have a specific source and the WLC as destination. If you allow everything, why do you need the ACL in the first place?