cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9806
Views
36
Helpful
55
Replies

CVE-2023-20198 Software Web UI Privilege Escalation Vulnerability

This seems bad. - "I'm fuzzy on the whole good/bad thing. What do you mean, "bad"? "........

LWA, and basically also CWA, uses the webservice of the 9800.

Should we all just shut down our guest networks until a workaround / patch can be found ?

Currently that is what Im thinking.

Can anyone shed some light on my concern ?

 

55 Replies 55

So .. I actually CAN install it. I just loose the SMU and APSPs I had installed on 17.9.4 like you do when you install a brand new software. - I just think its weird the wording.

The question is then if you could actually install the APSP and SMU after on top of 17.9.4a (I think not, as far as I remember it cheks version) but it would be nice if you could.

Im now starting to feel that this is "kinda" a "fail". - Why a whole new software, and not just release a SMU first then ?

Answering my own question : "Thinking that it might be a "statement" that there is a "brand new" software and not just a SMU" patch" for a score 10 issue.

Javier Contreras
Cisco Employee
Cisco Employee

hi

we documented this here:
https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-17/221107-filter-traffic-destined-to-cisco-ios-xe.html

Webauth does not expose any of the management UI, so it is not vulnerable to this issue. Using Access class for HTTP can be used as workaround, until fixes are posted across all releases

regards

 

SondreSandberg
Level 1
Level 1

Also wondering about the APSP and SMU, is it implemented in 17.9.4a? 

 

@Rich R Replied earlier on that in this thread :
        > (earlier poster) : So i cannot install the "a" version if I have a APSP/SMU installed on 17.9.4 ?
 If you upgrade to 17.9.4a you will lose the 17.9.4 SMU and APSP fixes.
There will be a new 17.9.4 SMU with the fix which you can use if you already have SMU and/or APSP installed.

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

hi Sondre
17.9.4a does not include APSP/SMU, as it is just CCO 17.9.4 plus webUI fix, we put a notice in the download page to clarify that

we will publish SMU for 17.9.4, with the webUI fix soon, so you can avoid full upgrade if APSPs are currently applied, this should be available very soon

regards

Hi @Javier Contreras 

If a customer is coming from an older version and because of this security issue he wants to upgrade to 17.9.4.

Would the best approach then be to go 17.9.4a and install the current available APSPs from 17.9.4(non-a)  (can you even do that ?)

Or if you cannot use the APSPs from 17.9.4 on 17.9.4.a , just install 17.9.4(non-a) - Install the, now available, security fix SMU, and then the APSPs for 17.9.4 ?

I guess the question is: Can you use the APSPs from 17.9.4 on 17.9.4a ?

hi @Thomas Obbekaer Thomsen 

>Can you use the APSPs from 17.9.4 on 17.9.4a ?
Unfortunately, no, that is one of the reasons we posted the 17.9.4 SMU last night, so existing customers on 17.9.4 can get the security fix, without having to deal with APSP again

>Would the best approach then be to go 17.9.4a and install the current available APSPs from 17.9.4(non-a)  (can you even do that ?)

it depends,  if they need the fixes in the current APSPs, then they will need 17.9.4 + SMU + APSPs
if they do "not" need them, then they can go into 17.9.4a directly

we are working on sorting out future APSPs/17.9.4 status,  as it is special situation for Wireless.
The new SMU allows to get fix now, until that is solved.

regards

RoadRunner4k
Level 1
Level 1

Anyone used DNA center to upgrade the WLC with ? and used ISSU and found the the ISSU matrix  ?

RoadRunner4k
Level 1
Level 1

Anyone know if there will be any issues in patching the WLC directly not using DNA Center ? its a classic deployment non SDA.

Only as no matrix files are put available on download page. So its not possible to do ISSU from DNA.

Get a TAC Proactive Case and a TAC Engineer (not to be confused with a TAC Agent) is WebEx to the WLC before embarking a firmware upgrade using ISSU.  

Please note CSCwh76420, CSCwe62246, CSCwh36951.

Leo Laohoo
Hall of Fame
Hall of Fame

WARNING:  Do not make any attempt(s) to use Hitless Upgrade when upgrading from 17.9.4 to 17.9.4a.  

We hit two bugs: 

1.  The Primary Controller moves the APs by rebooting all of the APs simultaneously.  
2.  The Secondary Controller refuses to return the APs back to the Primary Controller.  

UPDATE (December 2023):  TAC Sydney was able to successfully replicate, six times out of six attempts, this bug feature.

And for anyone planning to upgrade 9800 firmware using ISSU, please be aware of CSCwh76420, CSCwh36951.

Review Cisco Networking for a $25 gift card