Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
506
Views
10
Helpful
2
Replies

WLC Drown vulnerability

jmprats
Level 4
Level 4

‎03-07-2016 03:13 AM - edited ‎07-05-2021 04:43 AM

Is Cisco WLC vulnerable to DROWN attack ?

the cisco security advisor is not very clear abot that and about the steps you must follow to protect the controller.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-openssl

Do I need to disable SSLv2 in the wireless controller?

thanks

Labels:
0 Helpful
2 Replies 2

Freerk Terpstra
Level 7
Level 7

‎03-08-2016 01:33 PM

It is since today that the website shows that the WLC is vulnerable. From my own testing the WLC has SSL (version 2 and 3) disabled for the web interface with software 8.0 and higher. You have to turn it on manually with the help of the "config network secureweb xyz" commands. By default it will correctly send a TCP reset if your browser only tries to negotiate SSL and not the current TLS standards.

I'm wondering why they listed the latest release as vulnerable while the default configuration has it disabled for quite some time. Maybe there is another service which uses SSL, but I have no idea what that can be (CAPWAP uses DTLS for example). I guess we have to wait for more information, in the mean time you can use the "show network summary" command to verify that SSL has been disabled for the web interface.

Please rate useful posts... :-)

mohanak
Cisco Employee
Cisco Employee

‎03-08-2016 05:53 PM

Which version of WLC are you using ?

In the document which you had provided has bug related to version 8.3(15.85).

Another BUG for your reference.

SSLv3 Poodle attack against https in wlc, CVE-2014­-3566
CSCur27551
Description
Symptom:
This product includes a version of SSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) IDs:

CVE-2014-3566

This bug has been opened to address the potential impact on this product.
This applies to all WLCs types (5500/wism2/2500/4400/2100/7500/8500, etc)

Conditions:
HTTPS Management, webauth are vulnerable by default

Workaround:
Use FIPS mode (config switchconfig fips-prerequisite enable ), as it restricts the supported cipher suits
Note: this config change has implications on other features, for example, restricting to SNMPv3, crypto protocols are set for only HMAC-SHA1, no RC4, etc. so validate if it is applicable on your usage scenario, and compatibility for management applications connecting to the WLC
it is recommended to move to a fixed version

Further Problem Description:
Fix now available in 7.0.251.2, 7.4.130.0, 8.0.110.0 in CCO

Type of behavior change: TLSv1 will be used for webadmin/web-auth access on WLC by default. SSLv3 which was earlier used is disabled.

Impact: Clients now have to use TLSv1 for webadmin/web-auth. If they want to use SSLv3 only then SSLv3 needs to be enabled using CLI:
config network secureweb sslv3 enable


PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the
time of evaluation are: 2.6/2.5

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C

The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card