Poodle & WLC 5508

odegroote · ‎11-28-2016

What are the recommened parameters to mitigate Security vulnerabilities such as sslv3 poodle?

Cisco Controller) >show network summary

RF-Network Name............................. CLFWC-Wireless

Web Mode.................................... Disable

Secure Web Mode............................. Enable

Secure Web Mode Cipher-Option High.......... Enable

Secure Web Mode Cipher-Option SSLv2......... Disable

Secure Web Mode RC4 Cipher Preference....... Enable

Secure Web Mode SSL ... Disable

What are the 2 last options for?

Should we disable RC4?

Sandeep Choudhary · ‎11-28-2016

Hi,

Just check this documents: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-poodle

and tried to keep these version on WLC:

8.0.110.0 (Available)
7.0.251.0 (Available)
7.4.130.0 (Available)

Also check this bug detail:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCur27551

"

Conditions:
HTTPS Management, webauth are vulnerable by default

Workaround:
Use FIPS mode (config switchconfig fips-prerequisite enable ), as it restricts the supported cipher suits
Note: this config change has implications on other features, for example, restricting to SNMPv3, crypto protocols are set for only HMAC-SHA1, no RC4, etc. so validate if it is applicable on your usage scenario, and compatibility for management applications connecting to the WLC
it is recommended to move to a fixed version

Further Problem Description:
Fix now available in 7.0.251.2, 7.4.130.0, 8.0.110.0 in CCO

Type of behavior change: TLSv1 will be used for webadmin/web-auth access on WLC by default. SSLv3 which was earlier used is disabled.

Impact: Clients now have to use TLSv1 for webadmin/web-auth. If they want to use SSLv3 only then SSLv3 needs to be enabled using CLI:
config network secureweb sslv3 enable

"

Regards

Dont forget to rate helpful posts