Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2735
Views
1
Helpful
7
Replies

WLC5520 8.10.185 - TLS1.2 Using Insecure Ciphers, CBC & SHA

Network713
Level 1
Level 1

‎07-07-2023 09:11 AM - edited ‎07-24-2023 10:33 AM

I have WLC5520 8.10.185.0 (latest version), scan shows that it is uing insecure TLS 1.2 Ciphers CBC & SHA. 

Vulnerabilities:

TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA

========================================================================

I did an nmap and see that these insecure ciphers are available. How do I remove these specific below ciphers on the WLC?

nmap --script ssl-enum-ciphers x.x.x.x
PORT STATE SERVICE
22/tcp open ssh
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 3072) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 3072) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 3072) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 3072) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 3072) - A            <<<Need to remove, per vulnerability scan
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 3072) - A  <<<Need to remove, per vulnerability scan
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 3072) - A            <<<Need to remove, per vulnerability scan
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 3072) - A  <<<Need to remove, per vulnerability scan

-------------------------------------------------------------------------------------------

CURRENT CONIFG:

(Cisco Controller) > show run-config
System Inventory
NAME: "Chassis" , DESCR: "Cisco 5520 Wireless Controller"
PID: AIR-CT5520-K9, VID: V01, SN: xxxx

System Information
Product Version.................................. 8.10.185.0
RTOS Version..................................... 8.10.185.0
Bootloader Version............................... 8.3.15.177
Emergency Image Version.......................... 8.3.141.0

(Cisco Controller) > config network secureweb cipher-option rc4-preference enable
This command has been deprecated!

 

(Cisco Controller) > show network sum
Web Mode.................................... Disable (disable http access)
Secure Web Mode............................. Enable  (enable https access)
Secure Web Mode Cipher-Option High.......... Enable  (SHA1, SHA256, SHA384 enable & TLSv1.0 disabled)
Secure Web Mode SSL Protocol................ Disable
Web CSRF check.............................. Enable
Secure Shell (ssh).......................... Enable
Secure Shell (ssh) Cipher-Option High....... Enable
Telnet...................................... Disable
Web Auth Secure Web Sslv3 ................. Disable (leave disable, SSL depreciated bc of vulnerabilities, replacement is TLS)
Web Auth Secure Redirection ............... Disable
Web Auth Secure Web ....................... Enable
...

 

===========================================================
CLI
1. HTTP Access -not secure
config network webmode {enable | disable}

2. HTTPS Access
config network secureweb {enable | disable}

3. Support larger ciphers: "SHA1, SHA256, SHA384 enable. TLSv1.0 is disabled."

???Cisco would need to remove SHA1 (insecure).
config network secureweb cipher-option high {enable | disable}

4. Not secure, should not use.
config network secureweb cipher-option sslv2 {enable | disable}

5. Enable 256 bit ciphers for a SSH:
config network ssh cipher-option high {enable | disable}

6.  

(Cisco Controller) > config network secureweb cipher-option rc4-preference enable
This command has been deprecated!

0 Helpful
7 Replies 7

marce1000
Hall of Fame
Hall of Fame

‎07-07-2023 09:37 AM

 

 - FYI : https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/administration_of_cisco_wlc.html#ID562
           Also use : https://software.cisco.com/download/home/286284738/type/280926587/release/8.10.185.0

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rich R
VIP
VIP

‎07-09-2023 03:26 AM

As Marce said step number 1 upgrade to 8.10.185.0 which also resolves other known vulnerabilities.

Did you try this:

 

Enable or disable preference for RC4-SHA (Rivest Cipher 4-Secure Hash Algorithm) cipher suites (over CBC cipher suites) for web authentication and web administration by entering this command:

config network secureweb cipher-option rc4-preference {enable | disable}

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

Network713
Level 1
Level 1
In response to Rich R

‎07-11-2023 06:23 PM - edited ‎07-24-2023 10:17 AM

I upgraded to the latest IOS and it is the same result.  WLC still shows that it is using vulnerable CBC & SHA1 ciphers.

(Cisco Controller) > show run-config
System Inventory
NAME: "Chassis" , DESCR: "Cisco 5520 Wireless Controller"
PID: AIR-CT5520-K9, VID: V01, SN: xxxx

System Information
Product Version.................................. 8.10.185.0
RTOS Version..................................... 8.10.185.0
Bootloader Version............................... 8.3.15.177
Emergency Image Version.......................... 8.3.141.0

(Cisco Controller) > config network secureweb cipher-option rc4-preference enable
This command has been deprecated!

0 Helpful

Rich R
VIP
VIP
In response to Network713

‎07-12-2023 08:44 AM

Then I don't think there's anything you can do about it.

The bug Marce mentioned refers to very early versions of 8.10 and is for a different command anyway so I don't think that is relevant.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

marce1000
Hall of Fame
Hall of Fame

‎07-11-2023 10:48 PM

 

        - FYI : https://bst.cisco.com/bugsearch/bug/CSCvq39439

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Network713
Level 1
Level 1
In response to marce1000

‎07-24-2023 10:10 AM

Yes, I used the GUI to config cipher high all along.
I upgraded to 8.10.185 and it still shows the same vulnerabilities.

0 Helpful

Flavio Miranda
VIP
VIP

‎07-24-2023 11:43 AM

Hi @Network713 

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/administration_of_cisco_wlc.html

config network ssh cipher-option high {enable | disable}

config network secureweb sslv3 {enable | disable}

config network secureweb cipher-option rc4-preference {enable | disable}

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card