topic Re: Nmap Scan indicates open ports on 5580 WLC from a client connected wirelessly. in Wireless

Nmap Scan indicates open ports on 5580 WLC from a client connected wirelessly.

mt3368 — Mon, 05 Jul 2021 17:28:47 GMT

Recently we ran a Nmap scan of our wireless network using a client connected via Wifi. The scan showed common ports over the dynamic interfaces (80,443, 22,) as open and reachable from the client. Further testing showed that we were able to connect to the dynamic interface IP over one of the open ports. I suspect this may be a vulnerability that Cisco needs to address. Any suggestions as to what can be done to restrict access to the dynamic interfaces over these ports? We have attempted to apply an ACL to the dynamic and WLAN interfaces without any success. Keep in mind the dynamic interfaces are reachable from a client over the CAPWAP tunnel.

Re: Nmap Scan indicates open ports on 5580 WLC from a client connected wirelessly.

patoberli — Wed, 29 May 2019 07:02:37 GMT

Which firmware are you running?
There somewhere once was an option to allow "management over wireless", if that is enabled, then those ports are accessible. I currently can't find the option on my WLC though, but am a tad short on time.

Re: Nmap Scan indicates open ports on 5580 WLC from a client connected wirelessly.

mt3368 — Wed, 29 May 2019 18:03:20 GMT

We are running 8.2.170. The management over wireless option is not enabled.

Re: Nmap Scan indicates open ports on 5580 WLC from a client connected wirelessly.

patoberli — Mon, 03 Jun 2019 12:04:29 GMT

Is your management interface in the same VLAN as your users clients? That could also cause this (it's advised not to do this).

Re: Nmap Scan indicates open ports on 5580 WLC from a client connected wirelessly.

mt3368 — Mon, 03 Jun 2019 15:36:16 GMT

It is not in the same vlan.

Re: Nmap Scan indicates open ports on 5580 WLC from a client connected wirelessly.

patoberli — Thu, 06 Jun 2019 06:19:32 GMT

Some weeks ago a security issue was uncovered in regards to open ports directly on the 2800, 1800, 3800 APs, but I don't think the same applies here.

I just checked my WLC and scanned its dynamic interface with a wireless client inside that VLAN and nmap showed SSH and HTTPS as open ports. I tried to connect to them, but the WLC (correctly) refused the connection. So I think those ports are indeed open, but no service is offered to the client behind those ports.

Using 8.5.140.0 here on a 5520.

Re: Nmap Scan indicates open ports on 5580 WLC from a client connected wirelessly.

mt3368 — Thu, 06 Jun 2019 13:25:06 GMT

That is the behavior I am seeing as well. Try to telnet to one of the dynamic interfaces over any of those ports then escape (ESC) or control-c and you should see a response from the WLC. While I have not been able to get a login prompt using this method, it still seems to be something that needs to be addressed by Cisco.