04-15-2019 01:54 PM - edited 07-05-2021 10:15 AM
good day
I have a client who reports the following vulnerability in the WLC cisco:
The server accepts connections using SSL 2.0, SSL 3.0, TLS 1.0 and / or TLS 1.1. These versions contain many cryptographic weaknesses and are considered obsolete by the regulatory bodies. An attacker can use these vulnerabilities to carry out Man in the Middle (MitM) attacks or decrypt communications between client and server.
How can I verify if this vulnerability exists in my WLC, how would it be mitigated? Or, on the contrary, how do I show the client that the WLC does not have the vulnerability?
I share some data from my WLC:
MODEL 2504
Product Version.................................. 8.3.133.0
Bootloader Version............................... 1.0.20
Field Recovery Image Version..................... 7.6.101.1
Firmware Version................................. PIC 16.0
Thank you for your help and contributions.
04-15-2019 11:24 PM
- >How can I verify if this vulnerability exists in my WLC,
By using security analysis tools that can detect these type of vulnerabilities.
> Or, on the contrary, how do I show the client that the WLC does not have the vulnerability?
Same answer
>how would it be mitigated?
The only thing you can do is upgrade the controller to the latest software version for the particular platform; one summary command to give an initial overview of the (remaining) available cipher is :
nmap --script ssl-enum-ciphers controllername
M.
04-16-2019 05:24 AM - edited 04-16-2019 05:30 AM
On the WLC under Security - Web Auth - Secure Web, is Cipher-Option High enabled?
Or on the CLI: config network secureweb cipher-option high enable
You need to reload your WLC after enabling this.
That will disable the older versions and should only allow TLS 1.2. If you don't have that option, it might be possible that you need to upgrade your WLC to a newer software (make sure your used APs are still supported!).
Edit
Just checked this: https://community.cisco.com/t5/wireless-security-and-network/how-do-you-disable-tls-version-1-0-on-cisco-wlc/td-p/3379672
It seems your version contains a bug and doesn't disable the old versions. It's fixed in 8.5.140.0 and in the not yet available 8.3.150.0 (if this version will ever be released). You can also raise a TAC to receive 8.3MR4 which has probably fixed it.
04-16-2019 12:55 PM
Good afternoon;
Thanks for your help, it was very useful for me.
Excuse me, but know the command to see the SSL and TLS versions that are enabled in the WLC.
04-16-2019 11:45 PM - edited 04-17-2019 01:31 AM
I'm not sure you can directly see that on the WLC. You can probably test this by using Nessus:
https://www.owasp.org/index.php/Testing_for_SSL-TLS_(OWASP-CM-001)
04-17-2019 01:52 AM
04-22-2019 01:55 PM
good evening;
Thanks for your help, it has been very useful.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide