10-17-2023 07:53 AM
This seems bad. - "I'm fuzzy on the whole good/bad thing. What do you mean, "bad"? "........
LWA, and basically also CWA, uses the webservice of the 9800.
Should we all just shut down our guest networks until a workaround / patch can be found ?
Currently that is what Im thinking.
Can anyone shed some light on my concern ?
10-17-2023 07:58 AM
>...Can anyone shed some light on my concern ?
- The advised strategy for security issues with Cisco products , is : use the recommended software version first , for the 9800 platforms that would be 17.9.4 , if the particular security problem is detected again and depending on business need -> contact TAC ,
M.
10-17-2023 08:05 AM
So what you are saying is "this is fine" ? (insert "this is fine meme" here).
10-17-2023 08:26 AM
- As far as can recall my mind I am 'just saying' : the opposite ,
M.
10-17-2023 08:52 AM
- FYI : https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwh87343
M.
10-17-2023 09:37 PM
Looking at BugsearchTool, known affected releases include 17.6.5 and 17.3.3, but does it also affect 17.12.1?
I don't know how to try this vulnerability CVE-2023-20198.
10-18-2023 05:47 AM
the CVE basically says all IOS-XE products with the webservice enabled.
And there are no "fixes", so there is a very big possibility that all IOS-XE softwares are affected.
The only recommendation is also just to turn of http and https until a patch can be made available.
10-18-2023 06:04 AM
Ref : https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
>...If the ip http server command is present and the configuration also contains ip http active-session-modules none, the vulnerability is not exploitable over HTTP.
If the ip http secure-server command is present and the configuration also contains ip http secure-active-session-modules none, the vulnerability is not exploitable over HTTPS.
M.
10-18-2023 06:39 AM
Yes that makes perfect sense, that telling the config that you cannot have any sessions to the webservice makes the exploit not work.
I dont know what scenario you would configure this in. Enable the webservice, but not have it accept any sessions ?
But Im pretty certain (and I have not tested this) that this will also make CWA and LWA not work.
10-18-2023 07:20 AM
- The workaround does not relate to sessions , it prevents the web server from loading additional modules ,
M.
10-19-2023 12:58 AM
(this information is useless for WLC users, I apologize)
10-17-2023 10:50 PM
Would be nice to know if the recommended releases are fixed from this CVE
10-18-2023 05:42 AM
Havent heard anything additional yet.
But this being a 10.0 ... I mean .. thats bad ...
And the silence from Cisco worries me.
So Im right now recommending my customers to not use LWA or CWA as a precaution.
10-19-2023 02:17 AM
Definitely no fixed versions - all are affected.
10-18-2023 12:15 AM
Not a particularly concrete answer to Thomas.
It would be nice to know if enabled central web auth on the WLC contributes to security vulnerabilities or not.
/Finn
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide