cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5897
Views
10
Helpful
6
Replies

vulnerability SSL 2.0, SSL 3.0, TLS 1.0 and / or TLS 1.1

William Cortes
Level 1
Level 1

good day

I have a client who reports the following vulnerability in the WLC cisco:

The server accepts connections using SSL 2.0, SSL 3.0, TLS 1.0 and / or TLS 1.1. These versions contain many cryptographic weaknesses and are considered obsolete by the regulatory bodies. An attacker can use these vulnerabilities to carry out Man in the Middle (MitM) attacks or decrypt communications between client and server.

How can I verify if this vulnerability exists in my WLC, how would it be mitigated? Or, on the contrary, how do I show the client that the WLC does not have the vulnerability?

 

I share some data from my WLC:

MODEL 2504

Product Version.................................. 8.3.133.0
Bootloader Version............................... 1.0.20
Field Recovery Image Version..................... 7.6.101.1
Firmware Version................................. PIC 16.0

 

Thank you for your help and contributions.

 

6 Replies 6

marce1000
VIP
VIP

 

 - >How can I verify if this vulnerability exists in my WLC,

 By  using security analysis tools that can detect these type of vulnerabilities.

 > Or, on the contrary, how do I show the client that the WLC does not have the vulnerability?

 Same answer

>how would it be mitigated?  

  The only thing you can do is upgrade the controller to the latest software version for the particular platform; one summary command to give an initial overview of the (remaining) available cipher is :

                           nmap --script ssl-enum-ciphers controllername

M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

patoberli
VIP Alumni
VIP Alumni

On the WLC under Security - Web Auth - Secure Web, is Cipher-Option High enabled?
Or on the CLI: config network secureweb cipher-option high enable

You need to reload your WLC after enabling this.


That will disable the older versions and should only allow TLS 1.2. If you don't have that option, it might be possible that you need to upgrade your WLC to a newer software (make sure your used APs are still supported!).

 

Edit

Just checked this: https://community.cisco.com/t5/wireless-security-and-network/how-do-you-disable-tls-version-1-0-on-cisco-wlc/td-p/3379672

It seems your version contains a bug and doesn't disable the old versions. It's fixed in 8.5.140.0 and in the not yet available 8.3.150.0 (if this version will ever be released). You can also raise a TAC to receive 8.3MR4 which has probably fixed it.

Good afternoon;

 

Thanks for your help, it was very useful for me.

 

Excuse me, but know the command to see the SSL and TLS versions that are enabled in the WLC.

I'm not sure you can directly see that on the WLC. You can probably test this by using Nessus: 

https://www.owasp.org/index.php/Testing_for_SSL-TLS_(OWASP-CM-001)

 

I was curious and just tested this on my WLC running 8.8.120.0 with Cipher-Option-High enabled and rebooted.
The result of the sslscan tool from: https://github.com/rbsec/sslscan is this (compiled it without SSLv2 support):

./sslscan --no-failed 172.16.102.12
Version: 1.11.13-rbsec-static
OpenSSL 1.0.2-chacha (1.0.2g-dev)

Connected to 172.16.102.12

Testing SSL server 172.16.102.12 on port 443 using SNI name 172.16.102.12

TLS Fallback SCSV:
Server supports TLS Fallback SCSV

TLS renegotiation:
Secure session renegotiation supported

TLS Compression:
Compression disabled

Heartbleed:
TLS 1.2 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.0 not vulnerable to heartbleed

Supported Server Cipher(s):
Preferred TLSv1.2 256 bits AES256-GCM-SHA384
Accepted TLSv1.2 256 bits AES256-SHA256
Accepted TLSv1.2 256 bits AES256-SHA
Accepted TLSv1.2 256 bits CAMELLIA256-SHA
Accepted TLSv1.2 128 bits AES128-GCM-SHA256
Accepted TLSv1.2 128 bits AES128-SHA256
Accepted TLSv1.2 128 bits AES128-SHA
Accepted TLSv1.2 128 bits SEED-SHA
Accepted TLSv1.2 128 bits CAMELLIA128-SHA
Accepted TLSv1.2 128 bits IDEA-CBC-SHA
Preferred TLSv1.1 256 bits AES256-SHA
Accepted TLSv1.1 256 bits CAMELLIA256-SHA
Accepted TLSv1.1 128 bits AES128-SHA
Accepted TLSv1.1 128 bits SEED-SHA
Accepted TLSv1.1 128 bits CAMELLIA128-SHA
Accepted TLSv1.1 128 bits IDEA-CBC-SHA
Preferred TLSv1.0 256 bits AES256-SHA
Accepted TLSv1.0 256 bits CAMELLIA256-SHA
Accepted TLSv1.0 128 bits AES128-SHA
Accepted TLSv1.0 128 bits SEED-SHA
Accepted TLSv1.0 128 bits CAMELLIA128-SHA
Accepted TLSv1.0 128 bits IDEA-CBC-SHA

SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength: 2048

Subject: 169.254.1.1
Altnames: IP Address:169.254.1.1, URI:https://169.254.1.1
Issuer: 169.254.1.1

Not valid before: Jul 18 00:00:01 2018 GMT
Not valid after: Jul 18 00:00:01 2028 GMT

good evening;
Thanks for your help, it has been very useful.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: