While doing some script injection tests during an internal security assessment on a Cisco WLC 2504 I’ve noticed that the system I’m testing on suddenly went silent. First of all I thought about a coincidence during my tests and stopped as the system was no longer reachable from my side.
Couple of hours later, the system was back online so I did the same test one more time and, the system disappeared again.
Okay? Well, that was probably no coincidence at all. Maybe I’ve something new? I’ve tested on a different WLC I’ve access to and the exact same behavior showed up. Checked the release we’re on, and it’s the latest of 8.5 (8.5.140.0) track. I’ve rated that a DoS from this time on.
So I’ve contacted Cisco PSIRT at this point. That was in mid-June 2019.
First Cisco PSIRT contact was taking care of the report, later on I’ve got an Incident Manager assigned who handled the communication from that point on, which was much appreciated, very responsive and friendly at all time.
Shortly after Cisco confirmed that the vulnerability exists and was not even known to Cisco, a first release date for a patch was announced to me: October 16h. Unfortunately the patch was postponed to Nov 6th later.
Cisco confirmed my report ended up scoring a 7.7 CVSS (High) after they finished their investigations. It’s exploitable from arbitrary users on WLC, even with lowest permissions. Successful exploit ends up in a system crash and reboot which is a DoS condition.
After a while, Cisco asked me If I’m okay with a patch date of January 8th 2020 which was, at least for me, not acceptable, as it would mean waiting more than half a year. We agreed on publishing information on Nov 6th 2019 which includes information that 8.10 is not vulnerable and a fix for other releases in January 2020.
Today, November 6th, the Cisco PSIRT released the public CVE/Report for this vulnerability, providing a not vulnerable version which is 8.10. Releases before 8.5 are also not vulnerable. All from 8.4 to 8.9 are affected.
Exploit details:
You need a valid user login to the affected Cisco WLC. After you login to the device, there is a feature to view details of rough APs, known APs and other details. This is where the vulnerability hits. As said, I found it while testing for script injections:
https://WLCIPorHostname/screens/dashboard.html#/RogueApDetail/00:00:00:00:00:00">'><img src="xxxxx">Fire this line on an affected device will cause it to crash and restart. Surely also other, probably even more simple payloads will do the trick.
Thanks to Cisco PSIRT for the exemplary incident handling and the credits in the report:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-wlc-dos
Note: after sending a preview of this blog to Cisco, they asked me postponing the disclosure until January 2020 or hiding the exploit details in order to protect their customers until a patch for all releases became available. I disagreed as there was plenty of time to release a patch in my mind.