topic Re: SSH VULNERABILITY ON WLC 5508 in Wireless

SSH VULNERABILITY ON WLC 5508

Dechamo — Thu, 26 Dec 2024 16:06:50 GMT

i have 2 WLC

AIR-CT5508-50-K9 AND AIR-CT5508-25-K9 Release: 8.5.151.0

o Type of Vulnerability: SSH Bruteforceo SSH bruteforce login attempts have been detected.
o One or more valid SSH user logins have been found through bruteforcing.
o Accounts with default, null, blank, or missing passwords have been identified.
o Associated CVEs: CVE-1999-0508, CVE-1999-0502, CVE-2015-7755.

Can you help me solve this problem please ?

Re: SSH VULNERABILITY ON WLC 5508

MHM Cisco World — Thu, 26 Dec 2024 16:08:49 GMT

Sorry is this issue related to ASA ?

Why yoh tag it with ASA

MHM

Re: SSH VULNERABILITY ON WLC 5508

Dechamo — Thu, 26 Dec 2024 16:12:23 GMT

Sorry, it's not an ASA but a WLC 5508.

Re: SSH VULNERABILITY ON WLC 5508

Dustin Anderson — Thu, 26 Dec 2024 16:47:22 GMT

5508 is well past any vulnerability fixes, so there really isn't anything you can do about the issue. July 2021 was the end of vulnerability support.

https://www.cisco.com/c/en/us/products/collateral/wireless/5500-series-wireless-controllers/eos-eol-notice-c51-740221.html

Re: SSH VULNERABILITY ON WLC 5508

Rob Ingram — Thu, 26 Dec 2024 16:50:46 GMT

@Dechamo based on the information you provided, you should set passwords on the user accounts on the WLC.

You should at a minimum consider upgrading the software image, 8.5.151.0 is over 5.5 years old, the latest version 8.5.182.0, is still 3 years old. You should consider replacing the hardware, as the 5508 is end of support.

Re: SSH VULNERABILITY ON WLC 5508

MHM Cisco World — Thu, 26 Dec 2024 16:59:46 GMT

Try disable mgmt over wireless

It can reduce this DoS attack

MHM

Re: SSH VULNERABILITY ON WLC 5508

Leo Laohoo — Fri, 27 Dec 2024 01:08:24 GMT

@Dechamo wrote:

o Type of Vulnerability: SSH Bruteforceo SSH bruteforce login attempts have been detected.
o One or more valid SSH user logins have been found through bruteforcing.

Where is SSH attempts coming from? Are they coming from external IP address?

Re: SSH VULNERABILITY ON WLC 5508

Rich R — Fri, 27 Dec 2024 16:17:25 GMT

As the others have already pointed out the 5508 is long past end of support so you use them at your own risk because they are unsupported.

Nevertheless:
- Accounts with default, null, blank, or missing passwords have been identified.
It's up to you to fix this! Make sure all your user accounts have long complex passwords which are changed regularly. Ideally use a solution like TACACS to provide central authentication and authorisation (AAA) and avoid using local username/passwords except as last resort. There's lots of advice to be found on username and password security on the internet.

Release: 8.5.151.0 is dreadfully old and out of date. At the minimum you should upgrade to the last available release (8.5.182.12) which contains a number of security vulnerability fixes since 8.5.151.0. The download link is in my signature text below (it's not on the standard download pages).

Use infrastructure ACLs and/or firewall to protect the WLCs from SSH coming into your network from outside.
Use CPU ACL on the WLC to restrict SSH access to the WLC itself.
As @MHM Cisco World said disable management over wireless.

Re: SSH VULNERABILITY ON WLC 5508

Scott Fella — Mon, 30 Dec 2024 18:20:23 GMT

Might as well put my 2cents.... If you have TACACS and or syslog, you should be able to detect and see where any failures are coming from. That way you can put a plan into action. What you are seeing is because you are probably using local accounts, this would be something in general you should be cleaning up even with other network devices you have in your network. This should be an eye opener and something you should plan on reviewing not just on your 5508's, but everywhere. TACACS is what you should implement if not already, also if you are using TACACS, you probably are allowing local then TACACS, which might be why the scans are catching this.