-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2009.1098
        Multiple Vulnerabilities in Cisco Wireless LAN Controllers
                               28 July 2009

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco 1500 Series
                   Cisco 2000 Series
                   Cisco 2100 Series
                   Cisco 4100 Series
                   Cisco 4200 Series
                   Cisco 4400 Series
                   Cisco Wireless Services Modules
                   WLC Modules for Cisco Integrated Services Routers
                   Cisco Catalyst 3750G Integrated Wireless LAN Controllers
Publisher:         Cisco Systems
Operating System:  Cisco
                   Network Appliance
Impact/Access:     Administrator Compromise -- Remote/Unauthenticated
                   Denial of Service        -- Remote/Unauthenticated
Resolution:        Patch
CVE Names:         CVE-2009-1167 CVE-2009-1166 CVE-2009-1165
                   CVE-2009-1164  

Original Bulletin: 
   http://www.cisco.com/warp/public/707/cisco-sa-20090727-wlc.shtml

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers

Advisory ID: cisco-sa-20090727-wlc

http://www.cisco.com/warp/public/707/cisco-sa-20090727-wlc.shtml

Revision 1.0

For Public Release 2009 July 27 1600 UTC (GMT)

- - ---------------------------------------------------------------------

Summary

Multiple vulnerabilities exist in the Cisco Wireless LAN Controller
(WLC) platforms. This security advisory outlines the details of the
following vulnerabilities:

  * Malformed HTTP or HTTPS authentication response denial of service
    vulnerability
  * SSH connections denial of service vulnerability
  * Crafted HTTP or HTTPS request denial of service vulnerability
  * Crafted HTTP or HTTPS request unauthorized configuration
    modification vulnerability

Cisco has released free software updates that address these
vulnerabilities.

This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20090727-wlc.shtml

Affected Products
=================

Vulnerable Products
+------------------

Cisco 1500 Series, 2000 Series, 2100 Series, 4400 Series, 4100
Series, 4200 Series, Wireless Services Modules (WiSM), WLC Modules
for Integrated Services Routers, and Cisco Catalyst 3750G Integrated
Wireless LAN Controllers are affected by one or more of the following
vulnerabilities:

  * The malformed HTTP or HTTPS authentication response denial of
    service vulnerability affects software versions 4.2 and later.
  * The SSH connections denial of service vulnerability affects
    software versions 4.1 and later.
  * The crafted HTTP or HTTPS request denial of service vulnerability
    affects software versions 4.1 and later.
  * The crafted HTTP or HTTPS request unauthorized configuration
    modification vulnerability affects software versions 4.1 and
    later.

Determination of Software Versions
+---------------------------------

To determine the WLC version that is running in a given environment,
use one of the following methods:

  * In the web interface, choose the Monitor tab, click Summary in
    the left pane, and note the Software Version field.
   
    Note:  Customers who use a WLC Module in an Integrated Services
    Router (ISR) will need to issue the service-module
    wlan-controller 1/0 session command prior to performing the next
    step on the command line. Customers who use a Cisco Catalyst
    3750G Switch with an integrated WLC Module will need to issue the
    session <Stack-Member-Number> processor 1 session command prior
    to performing the next step on the command line.
   
  * From the command-line interface, type show sysinfo and note the 
    Product Version field, as shown in the following example:

    (Cisco Controller) >show sysinfo 
    
    Manufacturer's Name.. Cisco Systems Inc.
    Product Name......... Cisco Controller
    Product Version...... 5.1.151.0
    RTOS Version......... Linux-2.6.10_mvl401
    Bootloader Version... 4.0.207.0
    Build Type........... DATA + WPS
    <output suppressed>
    

Use the show wism module <module number> controller 1 status command
on a Cisco Catalyst 6500 Series/7600 Series Switch if you are using a
WiSM. Note the software version as demonstrated in the following
example, which shows version 5.1.151.0.

    Router#show wism module 3 controller 1 status
    
    WiSM Controller 1 in Slot 3
    Operational Status of the Controller    
       : Oper-Up
    Service VLAN                            
       : 192   
    Service Port                            
       : 10    
    Service Port Mac Address                
       : 0011.92ff.8742
    Service IP Address                      
       : 192.168.10.1
    Management IP Address                   
       : 192.168.1.123
    Software Version                        
       : 5.1.151.0
    Port Channel Number                     
       : 288   
    Allowed vlan list                       
       : 30,40 
    Native VLAN ID                          
       : 40    
    WCP Keep Alive Missed                   
       : 0
    

Products Confirmed Not Vulnerable
+--------------------------------

The Cisco Wireless Controller 5500 Series is not affected by these
vulnerabilities.

Details
=======

Cisco Wireless LAN Controllers (WLCs) are responsible for system-wide
wireless LAN functions, such as security policies, intrusion
prevention, RF management, quality of service (QoS), and mobility.

These devices communicate with controller-based access points over
any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the
Lightweight Access Point Protocol (LWAPP).

This security advisory describes multiple distinct vulnerabilities in
the WLC family of devices.

  * Malformed HTTP or HTTPS authentication response denial of service
    vulnerability
    An attacker with access to the administrative web interface via
    HTTP or HTTPS may cause the device to reload by providing a
    malformed response to an authentication request.
   
    Note:  The vulnerability can be exploited only via the
    administrative web-based interface; Web Authentication features
    are not affected.
   
   
    This vulnerability is documented in Cisco Bug ID CSCsx03715 and
    has been assigned Common Vulnerabilities and Exposures (CVE) ID
    CVE-2009-1164.

  * SSH connections denial of service vulnerability
    Affected devices may be susceptible to a memory leak when they
    handle SSH management connections. An attacker could use this
    behavior to cause an affected device to crash and reload.
   
    Note:  A three-way handshake is not required to exploit this
    vulnerability.
   
    This vulnerability is documented in Cisco Bug ID CSCsw40789 and
    has been assigned CVE ID CVE-2009-1165.

  * Crafted HTTP or HTTPS request denial of service vulnerability
    An attacker with the ability to send a malicious HTTP request to
    an affected WLC could cause the device to crash and reload.
   
    Note:  The vulnerability can be exploited only via the
    administrative web-based interface; Web Authentication features
    are not affected.
   
    This vulnerability is documented in Cisco Bug ID CSCsy27708 and
    has been assigned CVE ID CVE-2009-1166.

  * Crafted HTTP or HTTPS request unauthorized configuration
    modification vulnerability
    An unauthorized configuration modification vulnerability exists
    in all software versions prior to the first fixed release. A
    remote, unauthenticated attacker who can submit HTTP or HTTPS
    requests to the WLC directly could gain full control of the
    affected device.
   
    Note:  The vulnerability can be exploited only by submitting such
    a request to an IP address that is bound to an administrative
    interface or VLAN.
   
   
    The vulnerability is documented by Cisco Bug ID CSCsy44672 and has
    been assigned CVE ID CVE-2009-1167.

Vulnerability Scoring Details
=============================

Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding
CVSS at

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at

http://intellishield.cisco.com/security/alertmanager/cvss

CSCsx03715 - Malformed HTTP or HTTPS authentication response denial of service vulnerability
+-----------------------------------------------------

CVSS Base Score - 7.8

        Access Vector            - Network
        Access Complexity        - Low
        Authentication           - None
        Confidentiality Impact   - None
        Integrity Impact         - None
        Availability Impact      - Complete

CVSS Temporal Score - 6.4

        Exploitability           - Functional
        Remediation Level        - Official-Fix
        Report Confidence        - Confirmed

CSCsw40789 - SSH connections denial of service vulnerability
+-----------------------------------------------------

CVSS Base Score - 7.8

        Access Vector            - Network
        Access Complexity        - Low
        Authentication           - None
        Confidentiality Impact   - None
        Integrity Impact         - None
        Availability Impact      - Complete

CVSS Temporal Score - 6.4

        Exploitability           - Functional
        Remediation Level        - Official-Fix
        Report Confidence        - Confirmed

CSCsy27708 - Crafted HTTP or HTTPS request denial of service vulnerability
+-----------------------------------------------------

CVSS Base Score - 7.8

        Access Vector            - Network
        Access Complexity        - Low
        Authentication           - None
        Confidentiality Impact   - None
        Integrity Impact         - None
        Availability Impact      - Complete

CVSS Temporal Score - 6.4

        Exploitability           - Functional
        Remediation Level        - Official-Fix
        Report Confidence        - Confirmed

CSCsy44672 - Crafted HTTP or HTTPS request unauthorized configuration modification vulnerability
+-----------------------------------------------------

CVSS Base Score - 10

        Access Vector            - Network
        Access Complexity        - Low
        Authentication           - None
        Confidentiality Impact   - Complete
        Integrity Impact         - Complete
        Availability Impact      - Complete

CVSS Temporal Score - 6.4

        Exploitability           - Functional
        Remediation Level        - Official-Fix
        Report Confidence        - Confirmed

Impact
=====

Successful exploitation of the denial of service (DoS)
vulnerabilities may cause the affected device to reload. Repeated
exploitation could result in a sustained DoS condition.

An unauthenticated, remote attacker may be able to use the
unauthorized configuration modification vulnerability to gain full
control over the Wireless LAN Controller if the attacker is able to
submit a crafted request directly to an administrative interface of
the affected device.

Software Versions and Fixes
===========================

When considering software upgrades, also consult
http://www.cisco.comw/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.

+------------------------------------------------------+
| Vulnerability/ | Affected | First      | Recommended |
| Bug ID         | Release  | Fixed      | Release     |
|                |          | Version    |             |
|----------------+----------+------------+-------------|
|                | 4.1      | Not        | Not         |
|                |          | Vulnerable | Vulnerable  |
|                |----------+------------+-------------|
|                | 4.1M     | Not        | Not         |
|                |          | Vulnerable | Vulnerable  |
|                |----------+------------+-------------|
|                | 4.2      | 4.2.205.0  | 4.2.207.0   |
|                |----------+------------+-------------|
| Malformed HTTP | 4.2M     | Not        | Not         |
| or HTTPS       |          | Vulnerable | Vulnerable  |
|authentication  |----------+------------+-------------|
| response       |          | Migrate to | 5.2.193.0   |
| denial of      | 5.0      | 5.2 or 6.0 | or          |
| service        |          |            | 6.0.182.0   |
|vulnerability   |----------+------------+-------------|
| (CSCsx03715)   |          | Migrate to | 5.2.193.0   |
|                | 5.1      | 5.2 or 6.0 | or          |
|                |          |            | 6.0.182.0   |
|                |----------+------------+-------------|
|                |          |            | 5.2.193.0   |
|                | 5.2      | 5.2.178.0  | or          |
|                |          |            | 6.0.182.0   |
|                |----------+------------+-------------|
|                | 6.0      | Not        | Not         |
|                |          | Vulnerable | Vulnerable  |
|----------------+----------+------------+-------------|
|                | 4.1      | Migrate to | 4.2.205.0   |
|                |          | 4.2        |             |
|                |----------+------------+-------------|
|                |          |            | 5.2.193.0,  |
|                |          | Migrate to | 6.0.182.0   |
|                | 4.1M     | 5.2, 6.0,  | or          |
|                |          | or 4.2M    | 4.2.176.51  |
|                |          |            | Mesh        |
|                |----------+------------+-------------|
|                | 4.2      | 4.2.205.0  | 4.2.207.0   |
|                |----------+------------+-------------|
| SSH            | 4.2M     | Not        | Not         |
| connections    |          | Vulnerable | Vulnerable  |
|denial of       |----------+------------+-------------|
| service        |          | Migrate to | 5.2.193.0   |
| vulnerability  | 5.0      | 5.2 or 6.0 | or          |
| (CSCsw40789)   |          |            | 6.0.182.0   |
|                |----------+------------+-------------|
|                |          |            | 5.2.193.0   |
|                | 5.1      | 5.1.163.0  | or          |
|                |          |            | 6.0.182.0   |
|                |----------+------------+-------------|
|                |          |            | 5.2.193.0   |
|                | 5.2      | 5.2.178.0  | or          |
|                |          |            | 6.0.182.0   |
|                |----------+------------+-------------|
|                | 6.0      | Not        | Not         |
|                |          | Vulnerable | Vulnerable  |
|----------------+----------+------------+-------------|
|                | 4.1      | Migrate to | 4.2.205.0   |
|                |          | 4.2        |             |
|                |----------+------------+-------------|
|                |          |            | 5.2.193.0,  |
|                |          | Migrate to | 6.0.182.0   |
|                | 4.1 M    | 5.2, 6.0,  | or          |
|                |          | or 4.2M    | 4.2.176.51  |
|                |          |            | Mesh        |
|                |----------+------------+-------------|
|                | 4.2      | 4.2.205.0  | 4.2.207.0   |
|                |----------+------------+-------------|
| Crafted HTTP   | 4.2M     | Not        | Not         |
| request may    |          | Vulnerable | Vulnerable  |
|cause the WLC   |----------+------------+-------------|
| to crash       |          | Migrate to | 5.2.193.0   |
| (CSCsy27708)   | 5.0      | 5.2 or 6.0 | or          |
|                |          |            | 6.0.182.0   |
|                |----------+------------+-------------|
|                |          | Migrate to | 5.2.193.0   |
|                | 5.1      | 5.2 or 6.0 | or          |
|                |          |            | 6.0.182.0   |
|                |----------+------------+-------------|
|                |          |            | 5.2.193.0   |
|                | 5.2      | 5.2.191.0  | or          |
|                |          |            | 6.0.182.0   |
|                |----------+------------+-------------|
|                | 6.0      | Not        | Not         |
|                |          | Vulnerable | Vulnerable  |
|----------------+----------+------------+-------------|
|                | 4.1      | Migrate to | 4.2.205.0   |
|                |          | 4.2        |             |
|                |----------+------------+-------------|
|                |          |            | 5.2.193.0,  |
|                |          | Migrate to | 6.0.182.0   |
|                | 4.1M     | 5.2, 6.0,  | or          |
|                |          | or 4.2M    | 4.2.176.51  |
|                |          |            | Mesh        |
|                |----------+------------+-------------|
| Crafted HTTP   | 4.2      | 4.2.205.0  | 4.2.207.0   |
|or HTTPS        |----------+------------+-------------|
| request        | 4.2M     | Not        | Not         |
| unauthorized   |          | Vulnerable | Vulnerable  |
|configuration   |----------+------------+-------------|
| modification   | 5.0      | Migrate to | 5.2.193.0,  |
| vulnerability  |          | 5.2 or 6.0 | 6.0.182.0   |
|(CSCsy44672)    |----------+------------+-------------|
|                |          | Migrate to | 5.2.193.0   |
|                | 5.1      | 5.2 or 6.0 | or          |
|                |          |            | 6.0.182.0   |
|                |----------+------------+-------------|
|                |          |            | 5.2.193.0   |
|                | 5.2      | 5.2.191.0  | or          |
|                |          |            | 6.0.182.0   |
|                |----------+------------+-------------|
|                | 6.0      | Not        | Not         |
|                |          | Vulnerable | Vulnerable  |
+------------------------------------------------------+

Workarounds
===========

The SSH connections denial of service vulnerability identified by
Cisco Bug ID CSCsw40789 may be remediated by disabling SSH on the
affected device. This workaround requires subsequent management of
the device to be performed using the HTTP/HTTPS web management
interface or the serial console of the device.

Additional mitigations that can be deployed on Cisco devices in the
network are available in the Cisco Applied Mitigation Bulletin
companion document for this advisory, which is available at the
following link:
http://www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml

Obtaining Fixed Software
========================

Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing, or
otherwise using such software upgrades, customers agree to be bound by
the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml

Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.

Customers with Service Contracts
================================

Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.

Customers using Third Party Support Organizations
+------------------------------------------------

Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.

Customers without Service Contracts
+----------------------------------

Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.

  * +1 800 553 2447 (toll free from within North America)
  * +1 408 526 7209 (toll call from anywhere in the world)
  * e-mail: tac@cisco.com

Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.

Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.

Exploitation and Public Announcements
=====================================

The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory at the time of
release.

The DoS vulnerability documented by CSCsw40789 was discovered during
the resolution of customer support cases.

The unauthorized configuration modification vulnerability documented
by CSCsy44672 was found during internal testing.

The DoS vulnerability documented by CSCsx03715 was discovered by
Christoph Bott of SySS GmbH.

The DoS vulnerability documented by CSCsy27708 was discovered by IBM
Research.

Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.

Distribution
============

This advisory is posted on Cisco's worldwide website at :

http://www.cisco.com/warp/public/707/cisco-sa-20090727-wlc.shtml

In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.

  * cust-security-announce@cisco.com
  * first-bulletins@lists.first.org
  * bugtraq@securityfocus.com
  * vulnwatch@vulnwatch.org
  * cisco@spot.colorado.edu
  * cisco-nsp@puck.nether.net
  * full-disclosure@lists.grok.org.uk
  * comp.dcom.sys.cisco@newsgate.cisco.com

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.

Revision History
================
+---------------------------------------+
| Revision |              | Initial     |
| 1.0      | 2009-July-27 | public      |
|          |              | release.    |
+---------------------------------------+

Cisco Security Procedures 
========================= 

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices.  All Cisco security advisories are available at
http://www.cisco.com/go/psirt

© 2008 - 2009 Cisco Systems, Inc. All rights reserved.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFKbdU786n/Gc8U/uARAkG6AKCKI8yrbakylICPezA8Up2E1t372QCePJmj
RTTknUlr0VuKxVZLT0f8+gQ=
=x8Ly
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFKbmOSNVH5XJJInbgRAoiwAJ9xNQaW/gXr0jlm5dduIRyl+C+t1QCfXUgl
B34UEgEFVo2bpKc9/CL19CE=
=NRuB
-----END PGP SIGNATURE-----