Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2702
Views
25
Helpful
15
Replies

Vulnerability issue in wlc

Go to solution
Leftz
Level 4
Level 4

‎04-25-2022 12:21 PM - edited ‎04-25-2022 12:21 PM

Hi We have wlc. and got the below vulnerability message from tenable. Now I have two questions:

1, in addition to upgrading ios, there is other way to resolve it?

2. We scan all devices all the time, and we did not get the below warning message before, why the below warning message come to up this time scan? can we say scan standard change? Thank you

 

Cisco Wireless LAN Controller Secure Shell (SSH) Denial of Service Vulnerability (cisco-sa-20191016-wlc-ssh-dos)

According to its self-reported version, Cisco Wireless LAN Controller (WLC) is affected by a denial of service (DoS)

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎04-25-2022 04:13 PM

Please refer to Cisco Wireless LAN Controller Secure Shell Denial of Service Vulnerability Security Bulletin.

1.  There is no workaround.  Software upgrade fixes this security vulnerability. 

2.  This is a very old Security Bulletin.  It was announced in 2019.  

View solution in original post

Go to solution
Flavio Miranda
VIP
VIP

‎04-29-2022 06:41 AM

Hi, sure thing.

 It is not uncommon that companies keep management ip address on the same network as data traffic. But, a good network design must create a separate network for Management only.  This network should be allowed only for networks admin. You can have a portal from where the admin can access the clients they will use to access network devices:  SSH, Web, etc.

 And this well-known network management must be permited on the device with ACL.  On Cisco WLC you can configure CPU ACL permiting only a specific network or IP address to send SSH and HTTPS request.  The same can be done on switches and router using Console and VTY ACL.

On this management network you can also allow traffic like Netflow, SNMP, Syslog, etc. Everything else, you let out of this network.

those are good practices and not hard to implement.

View solution in original post

Go to solution
Flavio Miranda
VIP
VIP

‎04-29-2022 07:20 AM

Not familiar with Tanable but I believe so. Any Penatration tester out there can ensure you the network is secure, or at least less vulnerable with those action. 

Of course, security is layers and layers starting with users and going through techcnologies but from telecom perspective, this action I told , can help for sure.

View solution in original post

15 Replies 15

Go to solution
Flavio Miranda
VIP
VIP

‎04-25-2022 12:33 PM

"1, in addition to upgrading, there is other way to resolve it?"

 

Try to keep the WLC in a environment where the management is well controlled. Use a dedicated network for that. Use ACL CPU to allow only a few network or IP address to access the WLC using SSH.

 

"2. We scan all devices all the time, and we did not get the below warning message before, why the below warning message come to up this time scan? can we say scan standard change? Thank you"

 

Something has change on the scan software.

 

DoS is a vulneratiliry that affect any eletronic system in the whole world.  I very complicate protect against DoS. 

 

Go to solution
Leftz
Level 4
Level 4

‎04-25-2022 12:50 PM - edited ‎04-25-2022 01:56 PM

Thanks for your reply. 

 

The below message is from that link MHM provided.

Symptom: A vulnerability in the Secure Shell (SSH) session management for Cisco Wireless LAN Controller (WLC) Software could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to the SSH process not being properly deleted when a remote management connection to the device is disconnected. An attacker could exploit this vulnerability by repeatedly performing a remote management connection to the device and terminating the connection in an unexpected manner. A successful exploit could allow the attacker to cause the SSH processes to fail to delete, which can lead to a system-wide denial of service (DoS) condition.

 

Please see the highlighted above. Since the vulnerability is caused by improper SSH process, Looks like that the issue might be fixed by some change, do you think so? 

Or do we have some commands change can fix this issue? Thanks

0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎04-25-2022 04:13 PM

Please refer to Cisco Wireless LAN Controller Secure Shell Denial of Service Vulnerability Security Bulletin.

1.  There is no workaround.  Software upgrade fixes this security vulnerability. 

2.  This is a very old Security Bulletin.  It was announced in 2019.  

Go to solution
Leftz
Level 4
Level 4

‎04-29-2022 06:25 AM - edited ‎04-29-2022 06:27 AM

@Flavio Miranda 

" Try to keep the WLC in a environment where the management is well controlled. Use a dedicated network for that. Use ACL CPU to allow only a few network or IP address to access the WLC using SSH. "

Can you talk a little bit more detail about it? or give an example for it. I am interested in your comment. Thank you!

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP

‎04-29-2022 06:41 AM

Hi, sure thing.

 It is not uncommon that companies keep management ip address on the same network as data traffic. But, a good network design must create a separate network for Management only.  This network should be allowed only for networks admin. You can have a portal from where the admin can access the clients they will use to access network devices:  SSH, Web, etc.

 And this well-known network management must be permited on the device with ACL.  On Cisco WLC you can configure CPU ACL permiting only a specific network or IP address to send SSH and HTTPS request.  The same can be done on switches and router using Console and VTY ACL.

On this management network you can also allow traffic like Netflow, SNMP, Syslog, etc. Everything else, you let out of this network.

those are good practices and not hard to implement.

Go to solution
Leftz
Level 4
Level 4

‎04-29-2022 07:11 AM

Thanks Flavio! so after adding ACL etc to the network system, how can we think it is effective? Tenable can tell that? 

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP

‎04-29-2022 07:20 AM

Not familiar with Tanable but I believe so. Any Penatration tester out there can ensure you the network is secure, or at least less vulnerable with those action. 

Of course, security is layers and layers starting with users and going through techcnologies but from telecom perspective, this action I told , can help for sure.

Go to solution
Leftz
Level 4
Level 4

‎04-29-2022 07:29 AM

Thank you all!

Go to solution
Leftz
Level 4
Level 4

‎05-02-2022 11:07 AM

Hi The WLC has three ssid: Corp, BYOD and Guest. If we do CPU ACL to resolve the issue, what traffic should we block? Thanks

 

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP

‎05-02-2022 11:27 AM

Nop., ACL CPU only blocks traffic destinated to the WLC itself. It does not block users traffic on the SSID. 

0 Helpful

Go to solution
Leftz
Level 4
Level 4

‎05-02-2022 11:36 AM - edited ‎05-02-2022 11:40 AM

Thanks. but in order to configure CPU ACL, we have to indicate what traffic should be blocked and then associated it with CPU. Is this correct? if this is case, what traffic needs to be defined? 

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP

‎05-02-2022 11:40 AM

Yes correct. But this traffic will come from the Wired network and those traffic must be:  Telnet, SSH, SNMP,Netflow, Syslog etc. Management traffic. 

0 Helpful

Go to solution
Leftz
Level 4
Level 4

‎06-01-2022 01:53 PM

@Flavio Miranda We just tried the ACL, but it cannot work, which means we still can get the same scan result as before. Please see below. the Seq 5 and 6 are to permit our accessing to the wlc ip address and block all others. Is there some step wrong? Thanks

 

1.PNG

 

 

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card