Vulnerabilities > CVE-2018-0417 - Unspecified vulnerability in Cisco Wireless LAN Controller Software

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
cisco
nessus
NVD
Published: 2018-10-17
Updated: 2023-04-26

Summary

A vulnerability in TACACS authentication with Cisco Wireless LAN Controller (WLC) Software could allow an authenticated, local attacker to perform certain operations within the GUI that are not normally available to that user on the CLI. The vulnerability is due to incorrect parsing of a specific TACACS attribute received in the TACACS response from the remote TACACS server. An attacker could exploit this vulnerability by authenticating via TACACS to the GUI on the affected device. A successful exploit could allow an attacker to create local user accounts with administrative privileges on an affected WLC and execute other commands that are not allowed from the CLI and should be prohibited.

Vulnerable Configurations

Part Description Count
OS
Cisco
165

Nessus

NASL familyCISCO
NASL idCISCO-SA-20181017-WLC-CAPWAP-MEMORY-LEAK.NASL
descriptionAccording to its self-reported version, the Cisco Wireless LAN Controller (WLC) is affected by the following vulnerabilities: - A privilege escalation vulnerability due to improper parsing of a specific TACACS attribute. A remote attacker, authenticating to TACACs via the GUI, could create a local account with administrative privileges. (CVE-2018-0417) - A denial of service vulnerability due to flaws with specific timer mechanisms. A remote attacker could potentially cause the timer to crash resulting in a DoS condition. (CVE-2018-0441) - An information disclosure vulnerability due to insufficient checks when handling Control and Provisioning of Wireless Access Point keepalive requests. A remote attacker, with a specially crafted CAPWAP keepalive packet, could potentially read the devices memory. (CVE-2018-0442) - A denial of service vulnerability due to improper validation of CAPWAP discovery request packets. A remote attacker could potentially disconnect associated APs, resulting in a DoS condition. (CVE-2018-0443) Please see the included Cisco BIDs and the Cisco Security Advisory for more information.
last seen2020-04-30
modified2018-10-26
plugin id118461
published2018-10-26
reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/118461
titleCisco Wireless LAN Controller Multiple Vulnerabilities
code
#TRUSTED 418ad72afdcb672d1fb175234eb81aa147605da9725b9c60e21d568e8ee798dde7d6c08fd4a2cdf123227ee8948a900d69c5a592a49d6781f40976e2bf273709e6b4a353f6f901ae3a180d226bf8a18cf6cc6c8b14b50e2171869947235d814dc1a69a29fde74170a854c530cfe10c1720ffa63a37b1bfac5f3ebba96297f7920df3a89ea3b848b30a9e244a247edaeab9d70217e2d66ac292cf88abb87f7df9a5aad2e9ba31468339d70c470f3d5602b244832d1cba1e9059619d819e42923d20cf87b596696875df7138566311c021c53b50ea0c4ba9871e4c126fb015d989508205a162bbf9b09861004ae1a6f10eccd728cd3e0dc18d17432746d1e5ee4db80a68102c8215532d44d87c9452a7979168069887344a71cb67c63ad976ed9e381cd0c6bc334ab261a5d71a0487c37dfcdf4f016293d1e44fe1914818aae96d6cac1ea1431467b9be4b6f33e8034b75fb31584ea6c42d6a210f56ecce9c5abf21eaa98c5d86c919f8edce33595ec3dbdebb8cca630e116e88af6a6d28ccb8dae54d5d6845bb11356914086d3010a16dbab04c1c61a502e2d2ec14e027baf4c5429aea955bbf007a73e7e0e0d5d79e8be6b9c62b96b9350306ffb2f5e0c991d571a4098b31bce667d55f39614a54ef8726c57eb884d934d51cdb290e4c644256d49a522b7a4de147c9832accbe07618b2126a8756302a8aaa1e9a807f718e5cb
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(118461);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/27");

  script_cve_id(
    "CVE-2018-0417",
    "CVE-2018-0441",
    "CVE-2018-0442",
    "CVE-2018-0443"
  );
  script_bugtraq_id(
    105664,
    105667,
    105680,
    105686
  );
  script_xref(name:"CISCO-BUG-ID", value:"CSCvf66680");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvh65876");
  script_xref(name:"CISCO-BUG-ID", value:"CSCve64652");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvf66696");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20181017-wlc-capwap-memory-leak");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20181017-wlc-gui-privesc");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20181017-ap-ft-dos");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20181017-wlc-capwap-dos");

  script_name(english:"Cisco Wireless LAN Controller Multiple Vulnerabilities");
  script_summary(english:"Checks the Cisco Wireless LAN Controller (WLC) version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the Cisco Wireless LAN
Controller (WLC) is affected by the following vulnerabilities:

  - A privilege escalation vulnerability due to improper parsing
    of a specific TACACS attribute. A remote attacker,
    authenticating to TACACs via the GUI, could create a local
    account with administrative privileges. (CVE-2018-0417)

  - A denial of service vulnerability due to flaws with specific
    timer mechanisms. A remote attacker could potentially cause
    the timer to crash resulting in a DoS condition.
    (CVE-2018-0441)

  - An information disclosure vulnerability due to insufficient
    checks when handling Control and Provisioning of Wireless
    Access Point keepalive requests. A remote attacker, with a
    specially crafted CAPWAP keepalive packet, could potentially
    read the devices memory. (CVE-2018-0442)

  - A denial of service vulnerability due to improper validation
    of CAPWAP discovery request packets. A remote attacker could
    potentially disconnect associated APs, resulting in a DoS
    condition. (CVE-2018-0443)

Please see the included Cisco BIDs and the Cisco Security Advisory for
more information.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-wlc-capwap-memory-leak
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5e14b610");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-wlc-capwap-dos
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4d106cd6");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-wlc-gui-privesc
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e4eb02b4");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-ap-ft-dos
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c9605ddd");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf66680");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf66696");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvh65876");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve64652");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID(s)
CSCvf66680, CSCvh65876, CSCve64652, and CSCvf66696.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-0441");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/10/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/10/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/26");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cpe:/h:cisco:wireless_lan_controller");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_wlc_version.nasl");
  script_require_keys("Host/Cisco/WLC/Version");

  exit(0);
}

include("audit.inc");
include("cisco_workarounds.inc");
include("ccf.inc");
include("global_settings.inc");

product_info = cisco::get_product_info(name:"Cisco Wireless LAN Controller (WLC)");

vuln_ranges = [
  { 'min_ver' : '0.0', 'fix_ver' : '8.3.140.0' },
  { 'min_ver' : '8.4', 'fix_ver' : '8.5.131.0' },
  { 'min_ver' : '8.6', 'fix_ver' : '8.7.102.0' }
];

workarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);
workaround_params = make_list();

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_WARNING,
  'version'  , product_info['version'],
  'bug_id'   , "CSCvf66680, CSCvh65876, CSCve64652, and CSCvf66696"
);

cisco::check_and_report(product_info:product_info, workarounds:workarounds, workaround_params:workaround_params, reporting:reporting, vuln_ranges:vuln_ranges);

References