Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1313
Views
1
Helpful
5
Replies

WLC 9800 - TLS ROBOT Vulnerability Detected

Leonardo Marciano
Level 1
Level 1

‎10-04-2023 07:49 AM

Good morning everybody.
We have a WLC 9800 IOS XE 17.09.
Our Information Security team reported that our WLC has the TLS ROBOT Vulnerability Detected vulnerability active.
Please, could you help me with this?
I've already searched the internet and CISCO websites but I didn't find anything related to WLC.

Labels:
0 Helpful
5 Replies 5

marce1000
VIP
VIP

‎10-04-2023 10:26 AM

 

  - Consider using latest advisory 17.9.4  , if not yet done , or utmost latest 17.12.1 if business permits ; that is  general approach for Cisco security issues ; if then not yet 'sufficient' then engage TAC , if business requires it , 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Leonardo Marciano
Level 1
Level 1
In response to marce1000

‎10-05-2023 05:33 AM

Hi Marc.
Thank you very much for the information, let's study the option of updating the IOS.

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame

‎10-04-2023 03:14 PM

Raise a TAC Case and CC the security team with TAC.

0 Helpful

Leonardo Marciano
Level 1
Level 1
In response to Leo Laohoo

‎10-05-2023 05:34 AM

Yes, this is also important.
Thanks Leo

0 Helpful

Rich R
VIP
VIP

‎10-05-2023 04:50 PM

First: what version of code are you running?  17.09 is not a version number, it's a release train.  An actual release of IOS-XE will have a third digit 17.9.x?  It's always important to specify exactly which version of code you're running.

That said - updating your code is unlikely to make any difference.  This is a very old vulnerability related to RSA key exchange  which was addressed in affected Cisco products by https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20171212-bleichenbacher.html back in 2017/2018.  What you are reporting is probably a false positive detection caused by RSA key exchange being enabled on the WLC probably with a long life (5 or 10 year) self-signed certificate which the scanner cannot verify.

Analysis for 9800 would probably look the same as this bug which was raised for Telepresence:
https://bst.cisco.com/bugsearch/bug/CSCvi05672

So:
1. Get a CLEAR analysis of EXACTLY what your security team actually detected.  If they just say the scanner detected the vulnerability without any explanation then chances are the person you are talking to has no understanding of the details and you need to DEMAND a detailed technical analysis of what they are seeing and claiming.  If they can't give you that then tell them it's a false positive detection and to fix their scanner or come back to you with the actual details.

2. What can you do to address the false positive detection from your side?
- Use a proper 1 year certificate issued by a registered public Certificate Authority which the scanner can verify
- If possible use an EC certificate not an RSA certificate
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-9/config-guide/b_wl_17_9_cg/m_certificate_management_gui.html#Cisco_Task_in_List_GUI.dita_caf25755-8771-48b1-a09c-8bc06b42a151

Also refer to the Best Practice guide for configuring secure web access:
https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/guide-c07-743627.html#Enablesecurewebaccess
Make sure to set TLSv1.2 and your security team's recommended choice of "ip http secure-ciphersuite"
For example many FIPS guides recommend "ip http secure-ciphersuite aes-128-cbc-sha" or "ip http secure-ciphersuite aes-256-cbc-sha"

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card