Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1172
Views
4
Helpful
8
Replies

SSH VULNERABILITY ON WLC 5508

Dechamo
Level 1
Level 1

‎12-26-2024 08:06 AM

 i have 2 WLC 

AIR-CT5508-50-K9  AND AIR-CT5508-25-K9 Release: 8.5.151.0

 

o Type of Vulnerability: SSH Bruteforceo SSH bruteforce login attempts have been detected.
o One or more valid SSH user logins have been found through bruteforcing.
o Accounts with default, null, blank, or missing passwords have been identified.
o Associated CVEs: CVE-1999-0508, CVE-1999-0502, CVE-2015-7755.

Can you help me solve this problem please ?

 

 

 

0 Helpful
8 Replies 8

MHM Cisco World
VIP
VIP

‎12-26-2024 08:08 AM

Sorry is this issue related to ASA ? 

Why yoh tag it with ASA 

MHM

0 Helpful

Dechamo
Level 1
Level 1
In response to MHM Cisco World

‎12-26-2024 08:12 AM

Sorry, it's not an ASA but a WLC 5508.

MHM Cisco World
VIP
VIP
In response to Dechamo

‎12-26-2024 08:59 AM

Try disable mgmt over wireless

It can reduce this DoS attack 

MHM

0 Helpful

Dustin Anderson
VIP Alumni
VIP Alumni

‎12-26-2024 08:47 AM

5508 is well past any vulnerability fixes, so there really isn't anything you can do about the issue. July 2021 was the end of vulnerability support.

https://www.cisco.com/c/en/us/products/collateral/wireless/5500-series-wireless-controllers/eos-eol-notice-c51-740221.html

 

Rob Ingram
VIP
VIP

‎12-26-2024 08:50 AM

@Dechamo based on the information you provided, you should set passwords on the user accounts on the WLC.

You should at a minimum consider upgrading the software image, 8.5.151.0 is over 5.5 years old, the latest version 8.5.182.0, is still 3 years old. You should consider replacing the hardware, as the 5508 is end of support.

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame

‎12-26-2024 05:08 PM

@Dechamo wrote:

 

o Type of Vulnerability: SSH Bruteforceo SSH bruteforce login attempts have been detected.
o One or more valid SSH user logins have been found through bruteforcing.

Where is SSH attempts coming from?  Are they coming from external IP address?

0 Helpful

Rich R
VIP
VIP

‎12-27-2024 08:17 AM

As the others have already pointed out the 5508 is long past end of support so you use them at your own risk because they are unsupported.

Nevertheless:
Accounts with default, null, blank, or missing passwords have been identified.
It's up to you to fix this! Make sure all your user accounts have long complex passwords which are changed regularly. Ideally use a solution like TACACS to provide central authentication and authorisation (AAA) and avoid using local username/passwords except as last resort.  There's lots of advice to be found on username and password security on the internet.

Release: 8.5.151.0 is dreadfully old and out of date.  At the minimum you should upgrade to the last available release (8.5.182.12) which contains a number of security vulnerability fixes since 8.5.151.0.  The download link is in my signature text below (it's not on the standard download pages).

Use infrastructure ACLs and/or firewall to protect the WLCs from SSH coming into your network from outside.
Use CPU ACL on the WLC to restrict SSH access to the WLC itself.
As @MHM Cisco World said disable management over wireless.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Scott Fella
Hall of Fame
Hall of Fame

‎12-30-2024 10:20 AM

Might as well put my 2cents.... If you have TACACS and or syslog, you should be able to detect and see where any failures are coming from.  That way you can put a plan into action.  What you are seeing is because you are probably using local accounts, this would be something in general you should be cleaning up even with other network devices you have in your network.  This should be an eye opener and something you should plan on reviewing not just on your 5508's, but everywhere.  TACACS is what you should implement if not already, also if you are using TACACS, you probably are allowing local then TACACS, which might be why the scans are catching this.

-Scott
*** Please rate helpful posts ***
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card