topic WLC Drown vulnerability in Wireless

WLC Drown vulnerability

jmprats — Mon, 05 Jul 2021 11:43:59 GMT

Is Cisco WLC vulnerable to DROWN attack ?

the cisco security advisor is not very clear abot that and about the steps you must follow to protect the controller.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-openssl

Do I need to disable SSLv2 in the wireless controller?

thanks

It is since today that the

Freerk Terpstra — Tue, 08 Mar 2016 21:33:57 GMT

It is since today that the website shows that the WLC is vulnerable. From my own testing the WLC has SSL (version 2 and 3) disabled for the web interface with software 8.0 and higher. You have to turn it on manually with the help of the "config network secureweb xyz" commands. By default it will correctly send a TCP reset if your browser only tries to negotiate SSL and not the current TLS standards.

I'm wondering why they listed the latest release as vulnerable while the default configuration has it disabled for quite some time. Maybe there is another service which uses SSL, but I have no idea what that can be (CAPWAP uses DTLS for example). I guess we have to wait for more information, in the mean time you can use the "show network summary" command to verify that SSL has been disabled for the web interface.

Please rate useful posts... 🙂

Which version of WLC are you

mohanak — Wed, 09 Mar 2016 01:53:24 GMT

Which version of WLC are you using ?

In the document which you had provided has bug related to version 8.3(15.85).

Another BUG for your reference.

SSLv3 Poodle attack against https in wlc, CVE-2014-3566

CSCur27551

Description

Symptom:
This product includes a version of SSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) IDs:

CVE-2014-3566

This bug has been opened to address the potential impact on this product.
This applies to all WLCs types (5500/wism2/2500/4400/2100/7500/8500, etc)

Conditions:
HTTPS Management, webauth are vulnerable by default

Workaround:
Use FIPS mode (config switchconfig fips-prerequisite enable ), as it restricts the supported cipher suits
Note: this config change has implications on other features, for example, restricting to SNMPv3, crypto protocols are set for only HMAC-SHA1, no RC4, etc. so validate if it is applicable on your usage scenario, and compatibility for management applications connecting to the WLC
it is recommended to move to a fixed version

Further Problem Description:
Fix now available in 7.0.251.2, 7.4.130.0, 8.0.110.0 in CCO

Type of behavior change: TLSv1 will be used for webadmin/web-auth access on WLC by default. SSLv3 which was earlier used is disabled.

Impact: Clients now have to use TLSv1 for webadmin/web-auth. If they want to use SSLv3 only then SSLv3 needs to be enabled using CLI:
config network secureweb sslv3 enable

PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the
time of evaluation are: 2.6/2.5

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C

The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html