Multiple vulnerabilities in Cisco Wireless LAN Controllers
Cisco WLCs and Cisco WiSMs are responsible for system-wide wireless LAN functions, such as security policies, intrusion prevention, RF management, quality of service, and mobility.
These devices communicate with controller-based access points over any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the Lightweight Access Point Protocol (LWAPP) and the Control and Provisioning of Wireless Access Points (CAPWAP) protocol.
The Cisco WLC family of devices is affected by 2 denial of service vulnerabilities, 3 privilege escalation vulnerabilities, and 2 access control list bypass vulnerabilities. The following are the details about these vulnerabilities.
IKE DoS vulnerability
An attacker with the ability to send a malicious IKE packet to an affected Cisco WLC could cause the device to crash and reload. This vulnerability can be exploited from both wired and wireless segments.
IKE is enabled by default in the WLC and cannot be disabled. Only traffic destined to the Cisco WLC could trigger this vulnerability. Transient traffic will not trigger this vulnerability.
HTTP DoS vulnerability
An authenticated attacker with the ability to send a series of malicious HTTP packets to an affected Cisco WLC could cause the device to reload. This vulnerability can be exploited from both wired and wireless segments. A TCP three-way handshake is needed in order to exploit this vulnerability.
Only traffic destined to the Cisco WLC could trigger this vulnerability. Transient traffic will not trigger this vulnerability. WebAuth or guest access is not affected by this vulnerability.
Privilege escalation vulnerabilities
Three privilege escalation vulnerabilities exist in the Cisco WLCs that could allow an authenticated attacker with read-only privileges to modify the device configuration.
Access control list bypass vulnerabilities
ACLs can be configured in the Cisco WLCs and applied to data traffic to and from wireless clients or to all traffic that is destined for the controller CPU. After ACLs are defined, they can be applied to the management interface, the access point manager (AP-manager) interface, or any of the dynamic interfaces for client data traffic or to the Network Processing Unit (NPU) interface for traffic to the controller CPU. Two vulnerabilities exist in the Cisco WLCs that could allow an unauthenticated attacker to bypass policies that should be enforced by CPU-based ACLs. No other ACL types are affected by these vulnerabilities.
CPU-based ACLs are configured and applied by navigating to Security > Access Control Lists > CPU Access Control Lists in the Cisco WLC web management interface. When CPU-based ACLs are enabled, they are applicable to both wireless and wired traffic.