Vulnerabilities > CVE-2016-9195 - Resource Management Errors vulnerability in Cisco Wireless LAN Controller 8.3.102.0

047910
CVSS 5.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
LOW
network
low complexity
cisco
CWE-399
nessus

Summary

A vulnerability in RADIUS Change of Authorization (CoA) request processing in the Cisco Wireless LAN Controller (WLC) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition by disconnecting a single connection. This vulnerability affects Cisco Wireless LAN Controller running software release 8.3.102.0. More Information: CSCvb01835. Known Fixed Releases: 8.4(1.49) 8.3(111.0) 8.3(108.0) 8.3(104.24) 8.3(102.3).

Vulnerable Configurations

Part Description Count
Application
Cisco
1

Common Weakness Enumeration (CWE)

Nessus

NASL familyCISCO
NASL idCISCO-SA-20170405-WLC1.NASL
descriptionAccording to its self-reported version, the Cisco Wireless LAN Controller (WLC) software running on the remote device is affected by multiple denial of service vulnerabilities : - A denial of service vulnerability exists in the RADIUS Change of Authorization (CoA) request processing due to improper validation of the RADIUS CoA packet header. An unauthenticated, remote attacker can exploit this, via a specially crafted RADIUS CoA packet, to disconnect connections through the WLC. (CVE-2016-9195) - A denial of service vulnerability exists in the web management interface due to a missing internal handler for a specific request. An unauthenticated, remote attacker can exploit this, by accessing a hidden URL on the web management interface, to cause the device to reload. (CVE-2017-3832)
last seen2020-06-01
modified2020-06-02
plugin id99472
published2017-04-19
reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/99472
titleCisco Wireless LAN Controller Multiple DoS
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(99472);
  script_version("1.5");
  script_cvs_date("Date: 2018/07/06 11:26:06");

  script_cve_id("CVE-2016-9195", "CVE-2017-3832");
  script_bugtraq_id(97421, 97425);
  script_xref(name:"CISCO-SA", value:"cisco-sa-20170405-wlc1");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20170405-wlc3");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvb01835");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvb48198");

  script_name(english:"Cisco Wireless LAN Controller Multiple DoS");
  script_summary(english:"Checks the WLC version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing vendor-supplied security patches.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the Cisco Wireless LAN
Controller (WLC) software running on the remote device is affected by
multiple denial of service vulnerabilities :

  - A denial of service vulnerability exists in the RADIUS
    Change of Authorization (CoA) request processing due to
    improper validation of the RADIUS CoA packet header. An
    unauthenticated, remote attacker can exploit this, via a
    specially crafted RADIUS CoA packet, to disconnect
    connections through the WLC. (CVE-2016-9195)

  - A denial of service vulnerability exists in the web
    management interface due to a missing internal handler
    for a specific request. An unauthenticated, remote
    attacker can exploit this, by accessing a hidden URL on
    the web management interface, to cause the device to
    reload. (CVE-2017-3832)");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170405-wlc1
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a98ac301");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170405-wlc3
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1bc8cd49");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb01835");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb48198");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug IDs
CSCvb01835 and CSCvb48198.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/05");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/04/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/19");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:cisco:wireless_lan_controller");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:wireless_lan_controller_firmware");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.");

  script_dependencies("cisco_wlc_version.nasl");
  script_require_keys("Host/Cisco/WLC/Version");

  exit(0);
}

include("audit.inc");
include("cisco_func.inc");

version = get_kb_item_or_exit("Host/Cisco/WLC/Version");
device = "Cisco Wireless LAN Controller";
model = get_kb_item("Host/Cisco/WLC/Model");
if (!empty_or_null(model))
  device += " " + model;
fix = "";

# Only affects 8.3.102.0
if (version == "8.3.102.0")
  fix = "Upgrade to 8.3(111.0) or later.";

if (!fix) audit(AUDIT_DEVICE_NOT_VULN, device, version);

order = make_list("Device", "Installed version", "Fixed version");
report = make_array(
  order[0], device,
  order[1], version,
  order[2], fix
);
report = report_items_str(report_items:report, ordered_fields:order);

security_report_v4(port:0, severity:SECURITY_HOLE, extra:report);