Vulnerabilities > CVE-2018-0442 - Unspecified vulnerability in Cisco Wireless LAN Controller Software

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
network
low complexity
cisco
nessus

Summary

A vulnerability in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol component of Cisco Wireless LAN Controller (WLC) Software could allow an unauthenticated, remote attacker to retrieve memory contents, which could lead to the disclosure of confidential information. The vulnerability is due to insufficient condition checks in the part of the code that handles CAPWAP keepalive requests. An attacker could exploit this vulnerability by sending a crafted CAPWAP keepalive packet to a vulnerable Cisco WLC device. A successful exploit could allow the attacker to retrieve the contents of device memory, which could lead to the disclosure of confidential information.

Vulnerable Configurations

Part Description Count
OS
Cisco
176

Nessus

NASL familyCISCO
NASL idCISCO-SA-20181017-WLC-CAPWAP-MEMORY-LEAK.NASL
descriptionAccording to its self-reported version, the Cisco Wireless LAN Controller (WLC) is affected by the following vulnerabilities: - A privilege escalation vulnerability due to improper parsing of a specific TACACS attribute. A remote attacker, authenticating to TACACs via the GUI, could create a local account with administrative privileges. (CVE-2018-0417) - A denial of service vulnerability due to flaws with specific timer mechanisms. A remote attacker could potentially cause the timer to crash resulting in a DoS condition. (CVE-2018-0441) - An information disclosure vulnerability due to insufficient checks when handling Control and Provisioning of Wireless Access Point keepalive requests. A remote attacker, with a specially crafted CAPWAP keepalive packet, could potentially read the devices memory. (CVE-2018-0442) - A denial of service vulnerability due to improper validation of CAPWAP discovery request packets. A remote attacker could potentially disconnect associated APs, resulting in a DoS condition. (CVE-2018-0443) Please see the included Cisco BIDs and the Cisco Security Advisory for more information.
last seen2020-04-30
modified2018-10-26
plugin id118461
published2018-10-26
reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/118461
titleCisco Wireless LAN Controller Multiple Vulnerabilities
code
#TRUSTED 418ad72afdcb672d1fb175234eb81aa147605da9725b9c60e21d568e8ee798dde7d6c08fd4a2cdf123227ee8948a900d69c5a592a49d6781f40976e2bf273709e6b4a353f6f901ae3a180d226bf8a18cf6cc6c8b14b50e2171869947235d814dc1a69a29fde74170a854c530cfe10c1720ffa63a37b1bfac5f3ebba96297f7920df3a89ea3b848b30a9e244a247edaeab9d70217e2d66ac292cf88abb87f7df9a5aad2e9ba31468339d70c470f3d5602b244832d1cba1e9059619d819e42923d20cf87b596696875df7138566311c021c53b50ea0c4ba9871e4c126fb015d989508205a162bbf9b09861004ae1a6f10eccd728cd3e0dc18d17432746d1e5ee4db80a68102c8215532d44d87c9452a7979168069887344a71cb67c63ad976ed9e381cd0c6bc334ab261a5d71a0487c37dfcdf4f016293d1e44fe1914818aae96d6cac1ea1431467b9be4b6f33e8034b75fb31584ea6c42d6a210f56ecce9c5abf21eaa98c5d86c919f8edce33595ec3dbdebb8cca630e116e88af6a6d28ccb8dae54d5d6845bb11356914086d3010a16dbab04c1c61a502e2d2ec14e027baf4c5429aea955bbf007a73e7e0e0d5d79e8be6b9c62b96b9350306ffb2f5e0c991d571a4098b31bce667d55f39614a54ef8726c57eb884d934d51cdb290e4c644256d49a522b7a4de147c9832accbe07618b2126a8756302a8aaa1e9a807f718e5cb
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(118461);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/27");

  script_cve_id(
    "CVE-2018-0417",
    "CVE-2018-0441",
    "CVE-2018-0442",
    "CVE-2018-0443"
  );
  script_bugtraq_id(
    105664,
    105667,
    105680,
    105686
  );
  script_xref(name:"CISCO-BUG-ID", value:"CSCvf66680");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvh65876");
  script_xref(name:"CISCO-BUG-ID", value:"CSCve64652");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvf66696");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20181017-wlc-capwap-memory-leak");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20181017-wlc-gui-privesc");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20181017-ap-ft-dos");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20181017-wlc-capwap-dos");

  script_name(english:"Cisco Wireless LAN Controller Multiple Vulnerabilities");
  script_summary(english:"Checks the Cisco Wireless LAN Controller (WLC) version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the Cisco Wireless LAN
Controller (WLC) is affected by the following vulnerabilities:

  - A privilege escalation vulnerability due to improper parsing
    of a specific TACACS attribute. A remote attacker,
    authenticating to TACACs via the GUI, could create a local
    account with administrative privileges. (CVE-2018-0417)

  - A denial of service vulnerability due to flaws with specific
    timer mechanisms. A remote attacker could potentially cause
    the timer to crash resulting in a DoS condition.
    (CVE-2018-0441)

  - An information disclosure vulnerability due to insufficient
    checks when handling Control and Provisioning of Wireless
    Access Point keepalive requests. A remote attacker, with a
    specially crafted CAPWAP keepalive packet, could potentially
    read the devices memory. (CVE-2018-0442)

  - A denial of service vulnerability due to improper validation
    of CAPWAP discovery request packets. A remote attacker could
    potentially disconnect associated APs, resulting in a DoS
    condition. (CVE-2018-0443)

Please see the included Cisco BIDs and the Cisco Security Advisory for
more information.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-wlc-capwap-memory-leak
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5e14b610");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-wlc-capwap-dos
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4d106cd6");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-wlc-gui-privesc
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e4eb02b4");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-ap-ft-dos
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c9605ddd");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf66680");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf66696");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvh65876");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve64652");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID(s)
CSCvf66680, CSCvh65876, CSCve64652, and CSCvf66696.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-0441");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/10/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/10/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/26");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cpe:/h:cisco:wireless_lan_controller");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_wlc_version.nasl");
  script_require_keys("Host/Cisco/WLC/Version");

  exit(0);
}

include("audit.inc");
include("cisco_workarounds.inc");
include("ccf.inc");
include("global_settings.inc");

product_info = cisco::get_product_info(name:"Cisco Wireless LAN Controller (WLC)");

vuln_ranges = [
  { 'min_ver' : '0.0', 'fix_ver' : '8.3.140.0' },
  { 'min_ver' : '8.4', 'fix_ver' : '8.5.131.0' },
  { 'min_ver' : '8.6', 'fix_ver' : '8.7.102.0' }
];

workarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);
workaround_params = make_list();

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_WARNING,
  'version'  , product_info['version'],
  'bug_id'   , "CSCvf66680, CSCvh65876, CSCve64652, and CSCvf66696"
);

cisco::check_and_report(product_info:product_info, workarounds:workarounds, workaround_params:workaround_params, reporting:reporting, vuln_ranges:vuln_ranges);