topic Multiple Vulnerabilities in in Wireless

OpenSSL vulnerabilities in WLC 7.4.110.0

Rene S. — Mon, 05 Jul 2021 08:12:59 GMT

Hi, version 7.4.11.0 is vulnerable to the following CVE IDs:

CVE-2014-0224 CVE-2014-0221 CVE-2014-0195 CVE-2014-0198 CVE-2010-5298 CVE-2014-3470 CVE-2014-0076

Is there a patch, that could fix it?

Thanks!

Use firmware version 7.4.121

Leo Laohoo — Fri, 11 Jul 2014 07:47:24 GMT

Use firmware version 7.4.121.0.

Multiple Vulnerabilities in

mohanak — Fri, 11 Jul 2014 08:11:25 GMT

Multiple Vulnerabilities in OpenSSL - June 2014

CSCup22587

Description

Symptom:
The following Cisco products:

Wireless Lan Controllers: 5500, 2500, Wism1, Wism2, 7500, 8500, 2100, NM-WLC, 4400

include a version of openssl that is affected by the vulnerabilities identified by the Common Vulnerability and Exposures (CVE) IDs:

CVE-2014-0224 - SSL/TLS MITM vulnerability
CVE-2014-0221 - DTLS recursion flaw
CVE-2014-3470 - Anonymous ECDH denial of service
CVE-2014-0221 - DTLS recursion flaw
CVE-2014-0195 - DTLS invalid fragment vulnerability

This bug has been opened to address the potential impact on this product.

Conditions:
Devices with default configuration.

Affected Releases
All 4.x, 5.x, 6.x, 7.0.x, 7.2.x, 7.3.x, 7.4.x, 7.5.x, 7.6.x
Workaround:Not Available

More Info:
CVE-2014-3470: EDCH is not in use, but a patch for the issue will be included

Fixed Releases
Upcoming: 7.4.130.0, 7.6.130.0, 8.0, 7.0.x
Will not be fixed: 4.x, 5.x, 6.x, 7.2.x, 7.3.x, 7.5.x (all end of engineering maintenance)

Fixed code will be posted in CCO soon. For beta access contact wnbu-mrbeta@external.cisco.com

PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/7.5:

https://intellishield.cisco.com/security/alertmanager/cvss?target=new&version=2.0&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:U/RC:C

The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html

Hi, thanks for your answer.

Rene S. — Thu, 24 Jul 2014 12:14:37 GMT

Hi, thanks for your answer. Do you know approximately when 7.6.130.0 will be released? Because I'll have to upgrade WLC anyway and if the release will be out soon, I would wait for it.

Thanks,

As far as I know it will be

Rasika Nayanajith — Thu, 24 Jul 2014 22:53:23 GMT

As far as I know it will be released by mid August. Let's wait & see

HTH

Rasika

**** Pls rate all useful responses ****

Is 7.4.121.0 affected or not

frankpetersatt — Tue, 05 Aug 2014 13:25:56 GMT

Is 7.4.121.0 affected or not?

I can see that 7.4.120.0 is affected and that the fix will be in 7.4.130.0 but no mentioning of 7.4.121.0.

Thanks,

Frank