Vulnerabilities > CVE-2018-0235 - Unspecified vulnerability in Cisco Wireless LAN Controller Software 8.6(1.106)/8.6(1.114)

047910
CVSS 7.4 - HIGH
Attack vector
ADJACENT_NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
low complexity
cisco
nessus

Summary

A vulnerability in the 802.11 frame validation functionality of the Cisco Wireless LAN Controller (WLC) could allow an unauthenticated, adjacent attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. The vulnerability is due to incomplete input validation of certain 802.11 management information element frames that an affected device receives from wireless clients. An attacker could exploit this vulnerability by sending a malformed 802.11 management frame to an affected device. A successful exploit could allow the attacker to cause the affected device to reload unexpectedly, resulting in a DoS condition. This vulnerability affects only Cisco Wireless LAN Controllers that are running Cisco Mobility Express Release 8.5.103.0. Cisco Bug IDs: CSCvg07024.

Nessus

NASL familyCISCO
NASL idCISCO-SA-20180502-WLC-MFDOS.NASL
descriptionAccording to its self-reported version, the Cisco Wireless LAN Controller (WLC) is affected by one or more vulnerabilities. Please see the included Cisco BIDs and the Cisco Security Advisory for more information.
last seen2020-06-01
modified2020-06-02
plugin id109728
published2018-05-11
reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/109728
titleCisco Wireless LAN Controller Multiple Vulnerabilities
code
#TRUSTED 349e0afa01a50b75b7bdb5aa9204f1ae4bde474baef0997e3f7aad8756d68733086e80e7768a85bdb61804e9b7272bba9d70b35cef8cce3f5f81abffcb59f551f887f3dfaf59ae0a9eece3a0e945f071e61981970b4547319d2358bc6f3359791f2fae93602351707a1688217cfb9e6ae0c708ebd08cc2c4843d55c94e5729309fc4eb8b39a56614a62981403a56cd38468aa33a03f89752636aea796ca600296bd8972d5f2950c689cf316a39ae2cf337ce570eb73b471dbf25bc2fe93bb4009c9c6b61f14c247bc491677056fccb34eed93fd03d686e4589fcb14ae0d74675e160d8c8548c0cded550516402c62127e7a00f53f5e21808a737775091607b3e010abdbd75002f6c8c6c87118221dbd30b78438b98624cb19e556450d5c8742b86182627bc69ce3df0e0568f04b82744dfb57cb3e365793563a27ab6743953069885890bfc71f78e8bf26557eb92a879a697c1d2ff8805066a2a8522dce60820051ae400b9d9b218895f58c4c384f5820c7f13bebeb25e0e7656af84139ae5a6fd65d5b6fceff51f5cfb0d55863adf23f26495cf8f7120c1d282d323e68c8ecfc9b5280d4de115b1305d2d367b31e9ed20de5007760ca1c171db4865ad2d0420257927c8ea762f902dd363f268b6b91faae24d211b60b312c140b23935eb31c5ca8f461c24799c7b8281d9e92b3f597edd64effd8244fcff1f4e12ccee28b676
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(109728);
  script_version("1.12");
  script_cvs_date("Date: 2019/12/20");

  script_cve_id(
    "CVE-2018-0226",
    "CVE-2018-0234",
    "CVE-2018-0235",
    "CVE-2018-0252"
  );
  script_bugtraq_id(104080, 104081, 104124);
  script_xref(name:"CISCO-BUG-ID", value:"CSCva68116");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvf73890");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvg07024");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvf89222");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20180502-aironet-ssh");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20180502-ap-ptp");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20180502-wlc-mfdos");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20180502-wlc-ip");

  script_name(english:"Cisco Wireless LAN Controller Multiple Vulnerabilities");
  script_summary(english:"Checks the Cisco Wireless LAN Controller (WLC) version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the Cisco Wireless LAN 
Controller (WLC) is affected by one or more vulnerabilities. 
Please see the included Cisco BIDs and the Cisco Security 
Advisory for more information.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180502-aironet-ssh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9e1aa030");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180502-ap-ptp
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fe723823");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180502-wlc-mfdos
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?468b6972");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180502-wlc-ip
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?24673826");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCva68116");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf73890");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg07024");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf89222");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID(s)
CSCva68116, CSCvf73890, CSCvg07024, and CSCvf89222.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-0226");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/02");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/05/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/11");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cpe:/h:cisco:wireless_lan_controller");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_wlc_version.nasl");
  script_require_keys("Host/Cisco/WLC/Version");

  exit(0);
}

include("audit.inc");
include("cisco_workarounds.inc");
include("ccf.inc");
include("global_settings.inc");

product_info = cisco::get_product_info(name:"Cisco Wireless LAN Controller (WLC)");

if (product_info['model'] !~ "[^0-9]+(18|28|38|55|85)[0-9][0-9][^0-9]+" &&
    product_info['version'] != "8.5.103.0")
  audit(AUDIT_HOST_NOT, "affected");

if (product_info['model'] =~ "[^0-9]+(18)[0-9][0-9][^0-9]+")
{
  min_ver = '8.2.121.0';
}
else if (product_info['model'] =~ "[^0-9]+(28|38)[0-9][0-9][^0-9]+")
{
  min_ver = '8.2.102.0';
}
else if (product_info['model'] =~ "[^0-9]+(55|85)[0-9][0-9][^0-9]+")
{
  min_ver = '8.4.0.0';
}
else
{
  min_ver = '8.2.0.0';
}

vuln_ranges = [
  { 'min_ver' : min_ver, 'fix_ver' : '8.5.120.0' }
];

workarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);
workaround_params = make_list();


reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_WARNING,
  'version'  , product_info['version'],
  'bug_id'   , "CSCva68116, CSCvf73890, CSCvg07024, and CSCvf89222"
);

cisco::check_and_report(product_info:product_info, workarounds:workarounds, workaround_params:workaround_params, reporting:reporting, vuln_ranges:vuln_ranges);