cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1328
Views
1
Helpful
5
Replies

WLC 9800 - TLS ROBOT Vulnerability Detected

Good morning everybody.
We have a WLC 9800 IOS XE 17.09.
Our Information Security team reported that our WLC has the TLS ROBOT Vulnerability Detected vulnerability active.
Please, could you help me with this?
I've already searched the internet and CISCO websites but I didn't find anything related to WLC.

5 Replies 5

marce1000
VIP
VIP

 

  - Consider using latest advisory 17.9.4  , if not yet done , or utmost latest 17.12.1 if business permits ; that is  general approach for Cisco security issues ; if then not yet 'sufficient' then engage TAC , if business requires it , 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Hi Marc.
Thank you very much for the information, let's study the option of updating the IOS.

Leo Laohoo
Hall of Fame
Hall of Fame

Raise a TAC Case and CC the security team with TAC.

Yes, this is also important.
Thanks Leo

Rich R
VIP
VIP

First: what version of code are you running?  17.09 is not a version number, it's a release train.  An actual release of IOS-XE will have a third digit 17.9.x?  It's always important to specify exactly which version of code you're running.

That said - updating your code is unlikely to make any difference.  This is a very old vulnerability related to RSA key exchange  which was addressed in affected Cisco products by https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20171212-bleichenbacher.html back in 2017/2018.  What you are reporting is probably a false positive detection caused by RSA key exchange being enabled on the WLC probably with a long life (5 or 10 year) self-signed certificate which the scanner cannot verify.

Analysis for 9800 would probably look the same as this bug which was raised for Telepresence:
https://bst.cisco.com/bugsearch/bug/CSCvi05672

So:
1. Get a CLEAR analysis of EXACTLY what your security team actually detected.  If they just say the scanner detected the vulnerability without any explanation then chances are the person you are talking to has no understanding of the details and you need to DEMAND a detailed technical analysis of what they are seeing and claiming.  If they can't give you that then tell them it's a false positive detection and to fix their scanner or come back to you with the actual details.

2. What can you do to address the false positive detection from your side?
- Use a proper 1 year certificate issued by a registered public Certificate Authority which the scanner can verify
- If possible use an EC certificate not an RSA certificate
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-9/config-guide/b_wl_17_9_cg/m_certificate_management_gui.html#Cisco_Task_in_List_GUI.dita_caf25755-8771-48b1-a09c-8bc06b42a151

Also refer to the Best Practice guide for configuring secure web access:
https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/guide-c07-743627.html#Enablesecurewebaccess
Make sure to set TLSv1.2 and your security team's recommended choice of "ip http secure-ciphersuite"
For example many FIPS guides recommend "ip http secure-ciphersuite aes-128-cbc-sha" or "ip http secure-ciphersuite aes-256-cbc-sha"

Review Cisco Networking for a $25 gift card