cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1589
Views
1
Helpful
7
Replies

WLC5520 8.10.185 - TLS1.2 Using Insecure Ciphers, CBC & SHA

Network713
Level 1
Level 1

I have WLC5520 8.10.185.0 (latest version), scan shows that it is uing insecure TLS 1.2 Ciphers CBC & SHA. 

Vulnerabilities:

TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA

========================================================================

I did an nmap and see that these insecure ciphers are available. How do I remove these specific below ciphers on the WLC?

nmap --script ssl-enum-ciphers x.x.x.x
PORT STATE SERVICE
22/tcp open ssh
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 3072) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 3072) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 3072) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 3072) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 3072) - A            <<<Need to remove, per vulnerability scan
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 3072) - A  <<<Need to remove, per vulnerability scan
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 3072) - A            <<<Need to remove, per vulnerability scan
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 3072) - A  <<<Need to remove, per vulnerability scan

-------------------------------------------------------------------------------------------

CURRENT CONIFG:

(Cisco Controller) > show run-config
System Inventory
NAME: "Chassis" , DESCR: "Cisco 5520 Wireless Controller"
PID: AIR-CT5520-K9, VID: V01, SN: xxxx

System Information
Product Version.................................. 8.10.185.0
RTOS Version..................................... 8.10.185.0
Bootloader Version............................... 8.3.15.177
Emergency Image Version.......................... 8.3.141.0

(Cisco Controller) > config network secureweb cipher-option rc4-preference enable
This command has been deprecated!

 

(Cisco Controller) > show network sum
Web Mode.................................... Disable (disable http access)
Secure Web Mode............................. Enable  (enable https access)
Secure Web Mode Cipher-Option High.......... Enable  (SHA1, SHA256, SHA384 enable & TLSv1.0 disabled)
Secure Web Mode SSL Protocol................ Disable
Web CSRF check.............................. Enable
Secure Shell (ssh).......................... Enable
Secure Shell (ssh) Cipher-Option High....... Enable
Telnet...................................... Disable
Web Auth Secure Web Sslv3 ................. Disable (leave disable, SSL depreciated bc of vulnerabilities, replacement is TLS)
Web Auth Secure Redirection ............... Disable
Web Auth Secure Web ....................... Enable
...

 

===========================================================
CLI
1. HTTP Access -not secure
config network webmode {enable | disable}

2. HTTPS Access
config network secureweb {enable | disable}

3. Support larger ciphers: "SHA1, SHA256, SHA384 enable. TLSv1.0 is disabled."

???Cisco would need to remove SHA1 (insecure).
config network secureweb cipher-option high {enable | disable}

4. Not secure, should not use.
config network secureweb cipher-option sslv2 {enable | disable}

5. Enable 256 bit ciphers for a SSH:
config network ssh cipher-option high {enable | disable}

6.  

(Cisco Controller) > config network secureweb cipher-option rc4-preference enable
This command has been deprecated!

7 Replies 7

marce1000
VIP
VIP

 

 - FYI : https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/administration_of_cisco_wlc.html#ID562
           Also use : https://software.cisco.com/download/home/286284738/type/280926587/release/8.10.185.0

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rich R
VIP
VIP

As Marce said step number 1 upgrade to 8.10.185.0 which also resolves other known vulnerabilities.

Did you try this:

 

Enable or disable preference for RC4-SHA (Rivest Cipher 4-Secure Hash Algorithm) cipher suites (over CBC cipher suites) for web authentication and web administration by entering this command:

config network secureweb cipher-option rc4-preference {enable | disable}

I upgraded to the latest IOS and it is the same result.  WLC still shows that it is using vulnerable CBC & SHA1 ciphers.

(Cisco Controller) > show run-config
System Inventory
NAME: "Chassis" , DESCR: "Cisco 5520 Wireless Controller"
PID: AIR-CT5520-K9, VID: V01, SN: xxxx

System Information
Product Version.................................. 8.10.185.0
RTOS Version..................................... 8.10.185.0
Bootloader Version............................... 8.3.15.177
Emergency Image Version.......................... 8.3.141.0

(Cisco Controller) > config network secureweb cipher-option rc4-preference enable
This command has been deprecated!

Then I don't think there's anything you can do about it.

The bug Marce mentioned refers to very early versions of 8.10 and is for a different command anyway so I don't think that is relevant.

marce1000
VIP
VIP

 

        - FYI : https://bst.cisco.com/bugsearch/bug/CSCvq39439

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Yes, I used the GUI to config cipher high all along.
I upgraded to 8.10.185 and it still shows the same vulnerabilities.

Hi @Network713 

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/administration_of_cisco_wlc.html

config network ssh cipher-option high {enable | disable}

config network secureweb sslv3 {enable | disable}

config network secureweb cipher-option rc4-preference {enable | disable}

 

Review Cisco Networking for a $25 gift card