04-25-2022 12:21 PM - edited 04-25-2022 12:21 PM
Hi We have wlc. and got the below vulnerability message from tenable. Now I have two questions:
1, in addition to upgrading ios, there is other way to resolve it?
2. We scan all devices all the time, and we did not get the below warning message before, why the below warning message come to up this time scan? can we say scan standard change? Thank you
Cisco Wireless LAN Controller Secure Shell (SSH) Denial of Service Vulnerability (cisco-sa-20191016-wlc-ssh-dos)
According to its self-reported version, Cisco Wireless LAN Controller (WLC) is affected by a denial of service (DoS)
Solved! Go to Solution.
04-25-2022 04:13 PM
Please refer to Cisco Wireless LAN Controller Secure Shell Denial of Service Vulnerability Security Bulletin.
1. There is no workaround. Software upgrade fixes this security vulnerability.
2. This is a very old Security Bulletin. It was announced in 2019.
04-29-2022 06:41 AM
Hi, sure thing.
It is not uncommon that companies keep management ip address on the same network as data traffic. But, a good network design must create a separate network for Management only. This network should be allowed only for networks admin. You can have a portal from where the admin can access the clients they will use to access network devices: SSH, Web, etc.
And this well-known network management must be permited on the device with ACL. On Cisco WLC you can configure CPU ACL permiting only a specific network or IP address to send SSH and HTTPS request. The same can be done on switches and router using Console and VTY ACL.
On this management network you can also allow traffic like Netflow, SNMP, Syslog, etc. Everything else, you let out of this network.
those are good practices and not hard to implement.
04-29-2022 07:20 AM
Not familiar with Tanable but I believe so. Any Penatration tester out there can ensure you the network is secure, or at least less vulnerable with those action.
Of course, security is layers and layers starting with users and going through techcnologies but from telecom perspective, this action I told , can help for sure.
04-25-2022 12:24 PM
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp34148 <- check this bug
04-25-2022 12:33 PM
"1, in addition to upgrading, there is other way to resolve it?"
Try to keep the WLC in a environment where the management is well controlled. Use a dedicated network for that. Use ACL CPU to allow only a few network or IP address to access the WLC using SSH.
"2. We scan all devices all the time, and we did not get the below warning message before, why the below warning message come to up this time scan? can we say scan standard change? Thank you"
Something has change on the scan software.
DoS is a vulneratiliry that affect any eletronic system in the whole world. I very complicate protect against DoS.
04-25-2022 12:50 PM - edited 04-25-2022 01:56 PM
Thanks for your reply.
The below message is from that link MHM provided.
Symptom: A vulnerability in the Secure Shell (SSH) session management for Cisco Wireless LAN Controller (WLC) Software could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to the SSH process not being properly deleted when a remote management connection to the device is disconnected. An attacker could exploit this vulnerability by repeatedly performing a remote management connection to the device and terminating the connection in an unexpected manner. A successful exploit could allow the attacker to cause the SSH processes to fail to delete, which can lead to a system-wide denial of service (DoS) condition.
Please see the highlighted above. Since the vulnerability is caused by improper SSH process, Looks like that the issue might be fixed by some change, do you think so?
Or do we have some commands change can fix this issue? Thanks
04-25-2022 04:13 PM
Please refer to Cisco Wireless LAN Controller Secure Shell Denial of Service Vulnerability Security Bulletin.
1. There is no workaround. Software upgrade fixes this security vulnerability.
2. This is a very old Security Bulletin. It was announced in 2019.
04-29-2022 06:25 AM - edited 04-29-2022 06:27 AM
" Try to keep the WLC in a environment where the management is well controlled. Use a dedicated network for that. Use ACL CPU to allow only a few network or IP address to access the WLC using SSH. "
Can you talk a little bit more detail about it? or give an example for it. I am interested in your comment. Thank you!
04-29-2022 06:41 AM
Hi, sure thing.
It is not uncommon that companies keep management ip address on the same network as data traffic. But, a good network design must create a separate network for Management only. This network should be allowed only for networks admin. You can have a portal from where the admin can access the clients they will use to access network devices: SSH, Web, etc.
And this well-known network management must be permited on the device with ACL. On Cisco WLC you can configure CPU ACL permiting only a specific network or IP address to send SSH and HTTPS request. The same can be done on switches and router using Console and VTY ACL.
On this management network you can also allow traffic like Netflow, SNMP, Syslog, etc. Everything else, you let out of this network.
those are good practices and not hard to implement.
04-29-2022 07:11 AM
Thanks Flavio! so after adding ACL etc to the network system, how can we think it is effective? Tenable can tell that?
04-29-2022 07:20 AM
Not familiar with Tanable but I believe so. Any Penatration tester out there can ensure you the network is secure, or at least less vulnerable with those action.
Of course, security is layers and layers starting with users and going through techcnologies but from telecom perspective, this action I told , can help for sure.
04-29-2022 07:29 AM
Thank you all!
05-02-2022 11:07 AM
Hi The WLC has three ssid: Corp, BYOD and Guest. If we do CPU ACL to resolve the issue, what traffic should we block? Thanks
05-02-2022 11:27 AM
Nop., ACL CPU only blocks traffic destinated to the WLC itself. It does not block users traffic on the SSID.
05-02-2022 11:36 AM - edited 05-02-2022 11:40 AM
Thanks. but in order to configure CPU ACL, we have to indicate what traffic should be blocked and then associated it with CPU. Is this correct? if this is case, what traffic needs to be defined?
05-02-2022 11:40 AM
Yes correct. But this traffic will come from the Wired network and those traffic must be: Telnet, SSH, SNMP,Netflow, Syslog etc. Management traffic.
06-01-2022 01:53 PM
@Flavio Miranda We just tried the ACL, but it cannot work, which means we still can get the same scan result as before. Please see below. the Seq 5 and 6 are to permit our accessing to the wlc ip address and block all others. Is there some step wrong? Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide