SB2018101804 - Multiple vulnerabilities in Cisco Wireless LAN Controller
Published: October 18, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 secuirty vulnerabilities.
1) Path traversal (CVE-ID: CVE-2018-0420)
The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information.
The weakness exists in the web-based interface of Cisco Wireless LAN Controller Software due to improper sanitization of user-supplied input in HTTP request parameters that describe filenames and pathnames. A remote attacker can use directory traversal techniques to submit a path to a desired file location and view system files on the targeted device, which may contain sensitive information.
2) Information disclosure (CVE-ID: CVE-2018-0416)
The vulnerability allows a remote attacker to obtain potentially sensitive information.
The weakness exists in the web-based interface of Cisco Wireless LAN Controller Software due to incomplete input and validation checking mechanisms in the web-based interface URL request. A remote attacker can request specific URLs via the web-based interface and view sensitive system information.
3) Privilege escalation (CVE-ID: CVE-2018-0417)
The vulnerability allows a remote authenticated attacker to gain elevated privileges on the target system.
The weakness exists in TACACS authentication with Cisco Wireless LAN Controller (WLC) Software due to incorrect parsing of a specific TACACS attribute received in the TACACS response from the remote TACACS server. A remote attacker can authenticate via TACACS to the GUI on the affected device, create local user accounts with administrative privileges on an affected WLC and execute other commands that are not allowed from the CLI and should be prohibited.
4) Information disclosure (CVE-ID: CVE-2018-0442)
The vulnerability allows a remote attacker to obtain potentially sensitive information.
The weakness exists in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol component of Cisco Wireless LAN Controller (WLC) Software due to insufficient condition checks in the part of the code that handles CAPWAP keepalive requests. A remote attacker can send a specially crafted CAPWAP keepalive packet to a vulnerable Cisco WLC device, retrieve the contents of device memory, which can lead to the disclosure of confidential information.
5) Information disclosure (CVE-ID: CVE-2018-0443)
The vulnerability allows a remote attacker to obtain potentially sensitive information.
The weakness exists in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol component of Cisco Wireless LAN Controller (WLC) Software due to improper input validation on fields within CAPWAP Discovery Request packets. A remote attacker can cause the Cisco WLC Software to disconnect associated access points (APs).
6) Privilege escalation (CVE-ID: CVE-2018-15395)
The vulnerability allows an adjacent authenticated attacker to gain elevated privileges on the target system.
The weakness exists in the authentication and authorization checking mechanisms of Cisco Wireless LAN Controller (WLC) Software due to the dynamic assignment of Security Group Tags (SGTs) during a wireless roam from one Service Set Identifier (SSID) to another within the Cisco TrustSec domain. An adjacent attacker can attempt to acquire an SGT from other SSIDs within the domain and gain privileged network access that should be prohibited under normal circumstances.
7) Cross-site scripting (CVE-ID: CVE-2018-0388)
The disclosed vulnerability allows a remote authenticated attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Remediation
Install update from vendor's website.
References
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-wlc-traversa...
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-wlc-id
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-wlc-gui-privesc
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-wlc-capwap-memory-leak
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-wlc-capwap-dos
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-wlan-escalation
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-wlan-xss