cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

OpenSSL vulnerabilities in WLC 7.4.110.0

323
Views
0
Helpful
0
Comments

 

Introduction

Version 7.4.11.0 is vulnerable to the following CVE IDs:

CVE-2014-0224 CVE-2014-0221 CVE-2014-0195 CVE-2014-0198 CVE-2010-5298 CVE-2014-3470 CVE-2014-0076   Is there a patch, that could fix it?  

Solution

Symptom:
The following Cisco products:
Wireless Lan Controllers: 5500, 2500, Wism1, Wism2, 7500, 8500, 2100, NM-WLC, 4400
include a version of openssl that is affected by the vulnerabilities identified by the Common Vulnerability and Exposures (CVE) IDs:
CVE-2014-0224 - SSL/TLS MITM vulnerability
CVE-2014-0221 - DTLS recursion flaw
CVE-2014-3470 - Anonymous ECDH denial of service
CVE-2014-0221 - DTLS recursion flaw 
CVE-2014-0195 - DTLS invalid fragment vulnerability

This bug has been opened to address the potential impact on this product.

Conditions:
Devices with default configuration.

Affected Releases
All 4.x, 5.x, 6.x, 7.0.x, 7.2.x, 7.3.x, 7.4.x, 7.5.x, 7.6.x
Workaround:Not Available

More Info:
CVE-2014-3470: EDCH is not in use, but a patch for the issue will be included

Fixed Releases
Upcoming: 7.4.130.0, 7.0.x
Released: 7.6.130.0, 8.0.100.0
Will not be fixed: 4.x, 5.x, 6.x, 7.2.x, 7.3.x, 7.5.x (all end of engineering maintenance)

Fixed code will be posted in CCO soon. For beta access contact wnbu-mrbeta@external.cisco.com

PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/7.5: https://intellishield.cisco.com/security/alertmanager/cvss?target=new&version=2.0&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:U/RC:C

The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. 

Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html

 

Known Affected Releases

 
7.0(250.0)
7.3(112.0)
7.4(110.0)
7.4(120.0)
7.5(102.0)
7.6(120.0)

 

Known Fixed Releases

 
7.0(241.14)
7.0(250.1)
7.0(251.0)
7.4(121.24)
7.4(122.22)
7.4(122.24)
7.5(102.25)
7.6(101.216)
7.6(120.20)
 
 

7.6(122.2)
7.6(122.7)
7.6(130.0)
8.0(100.0)
8.0(72.210)
8.0(72.224)
8.0(75.4)
8.1(2.21)

Download software for  Cisco 5500 Series Wireless Controllers

Source

Multiple Vulnerabilities in OpenSSL - June 2014 - CSCup22587

Multiple Vulnerabilities in OpenSSL Affecting Cisco Products

This document is created from the following discussion:

OpenSSL vulnerabilities in WLC 7.4.110.0

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards