Solved: OpenSSH v4 vulnerabilities in 4400 WLC (WiSM)

ninjay999 · ‎12-14-2011

Hi,

I recently did a vulnerability scan of a 4400 (4404) series wireless LAN controller running 7.0.116.0 and it showed SSH running on port 22 of the management interface. The problem I have is that the vulernability scanner (Nessus) showed the version to be OpenSSH 4.0 according to the SSH banner. Based on this version it has highlighed a large number of potential vulnerabilities including denial of service and privilege escalation issues. I've researched each of these vulnerabilities and they do indeed affect this version of OpenSSH and some of them are quite serious. However, I can find absolutely no reference on the web to this device (or indeed any Cisco device) being vulnerable to these OpenSSH bugs. I can find references to other SSH bugs but these are not the same ones that appear to affect OpenSSH 4.0 and the version of software on the device is not vulnerable to those other ones. I would have imagined with both the popularity of the device and of the vulnerabilitiy scanner that someone would have encountered this before. I'm starting to think now that this is a false positive on the scanner's part or else that Cisco fixes these bugs individually without upgrading the version of OpenSSH in the banner and so it is not affected - but I would have thought there would still be reference to these somewhere online. I'd appreciate any thoughts anyone would have on this.

Some of the vulnearbilities that the scanner are showing against this version of OpenSSH are as follows:

X11 trusted cookie forwarding issue -> (CVE-2007-4752)
Potential denial of service by crashing ssh service-> (CVE-2006-4925)
Privilege escalation via weak verification of authentication -> (CVE-2006-5794)
DoS by forcing keys to be recreated -> (CVE-2007-0726)
Uncover 32 bits of plain text from arbitrary block of ciphertext -> (CVE-2008-1483)
Hijack X11 session due to binding TCP ports to IPv6 interface instead of IPv4 when IPv4 is in use - CVE-2008-1483
Execute arbitrary commands if a user copies a malicious crafted file via scp -CVE-2008-1483
Execution of commands using weakness in the ForceCommand directive - CVE-2008-1657

Thanks.

rmartini · ‎12-14-2011

Please have a look at CSCsx46691

Symptom:

Several security scanners mistakenly identify Cisco Wireless LAN Controllers as

being affected by multiple OpenSSH related vulnerabilities.

Conditions:

A security scanner that identifies vulnerable software by the banner that is

returned when a connection is made to a services listening port may misidentify

the Cisco Wireless LAN Controller as being vulnerable. This occurs because the

WLC returns a banner of OpenSSH v4.0.

Workaround:

Ignore the warnings from the scanner software.

Further Problem Description:

The OpenSSH codebase is patched and maintained by Cisco Engineering to address

known security vulnerabilities in OpenSSH version 4.0. Because the banner

returned by the WLC does not reflect this, security scanners may mistakenly

flag the devices as being vulnerable

View solution in original post

rmartini · ‎12-14-2011