
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Reference: CERT-EU Security Advisory 2012-0025

Title: Multiple Vulnerabilities in Cisco Wireless LAN Controllers[1]

Version history:
01.03.2012 Initial publication

Summary
=======
CVSS Base Scores

CVE-2012-0368: HTTP Denial of Service Vulnerability
CVSS v2 Base Score: 7.8 (HIGH) (AV:N/AC:L/Au:N/C:N/I:N/A:C) [3])

CVE-2012-0369: IPv6 Denial of Service Vulnerability
CVSS v2 Base Score: 7.8 (HIGH) (AV:N/AC:L/Au:N/C:N/I:N/A:C) [3])

CVE-2012-0370: WebAuth Denial of Service Vulnerability
CVSS v2 Base Score: 7.8 (HIGH) (AV:N/AC:L/Au:N/C:N/I:N/A:C) [3])

CVE-2012-0371: Unauthorized Access Vulnerability
CVSS v2 Base Score: 9.3 (CRITICAL) (AV:N/AC:M/Au:N/C:C/I:C/A:C) [3])

Affected Versions
=================
For all vulnerabilities: Cisco Wireless LAN Controller before version 7.0

Original Details
================
CVE-2012-0368: HTTP Denial of Service Vulnerability

The Cisco Wireless LAN Controller (WLC) product family is affected by
a denial of service (DoS) vulnerability that could allow an
unauthenticated, remote attacker to cause the device to crash by
submitting a malformed URL to the administrative management interface.

CVE-2012-0369: IPv6 Denial of Service Vulnerability

The Cisco Wireless LAN Controller (WLC) product family is affected by
a denial of service (DoS) vulnerability where an unauthenticated
attacker could cause a device reload by sending a series of IPv6
packets.

CVE-2012-0370: WebAuth Denial of Service Vulnerability

The Cisco Wireless LAN Controller (WLC) product family is affected by
a denial of service (DoS) vulnerability where an unauthenticated
attacker could cause a device reload by sending a series of HTTP or
HTTPS packets to an affected controller configured for WebAuth.

This vulnerability can be exploited from both wired and wireless
segments. A TCP three-way handshake is needed in order to exploit
this vulnerability.

CVE-2012-0371: Unauthorized Access Vulnerability

The Cisco Wireless LAN Controller (WLC) product family is affected by
an unauthorized access vulnerability where an unauthenticated attacker
could view and modify the configuration of an affected Cisco WLC.

This vulnerability exists if CPU based access control lists (ACLs) are
configured in the wireless controller. An attacker can exploit this
vulnerability by connecting to the controller over TCP port 1023. Only
the Cisco 4400 Series WLCs, WiSM version 1, and Cisco Catalyst 3750G
Integrated WLCs are affected by this vulnerability.

More details provided in the CISCO advisory [1].

What can you do?
================
Deploy the updated versions of the software [2].

Workarounds:

For CVE-2012-0371: Unauthorized Access Vulnerability 
CPU based ACLs can be configured to block access to the affected WLC on TCP port 1023. After ACLs are defined, they can be applied to the management interface, the access point manager (AP-manager) interface, or any of the dynamic interfaces for client data traffic or to the Network Processing Unit (NPU) interface for traffic to the controller CPU.

Additional mitigations that can be deployed on Cisco devices in the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory.[4]

What to tell your users?
========================
N/A

More information
================
[1] CISCO 
[2] CISCO Software Download http://www.cisco.com/cisco/software/find.html?q=nx-os
[3] Information about CVSS: http://www.first.org/cvss/cvss-guide.html
[4] Mitigation http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20120229-wlc

Best regards,
CERT-EU
CERT-EU Pre-configuration Team (http://cert.europa.eu)
Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu
PGP KeyID 0x46AC4383
FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383

(DISCLAIMER: CERT-EU, the CERT for the EU institutions, is currently in its setup phase, until May 2012. Services are provided in a pilot fashion, and are not yet fully functional. Announcements, alerts and warnings are sent out in best effort manner, and to contact information currently known to us. We apologise if you are not the correct recipient, or if you had already been warned about this issue from another source . Format, content and way of alerting are subject to change in the future. Contact information or even the team name may change as well.)

-----BEGIN PGP SIGNATURE-----
Version: BCPG v1.39

iQJXBAEBAgBBBQJPTzxDOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp
b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4NKZg//fQnfw4RP
2vQeIqTYZB2tmfntMSPtubBsUMNLkgB7D4uarIyMlsXXwStMM6Nfo4hJZzGBWU5t
kwi/tAxOpBGxw6KcysovVLSZPv3bP57EgE8l3XkQzvo3vZ2Wh682+rYjVFbIThAN
kKZLkQpOYZ0wmTD1Dnxqd/QexqTpyhQa1gD7y0ybZAyo3JVpuMCRDvM/gBD63STa
uj02wmM3JvsxjjO6RfgWMZw81QrPr0aKMo8jHLeqGFeg/WGCcZgcXSrvTvxLWUiM
+OhSbI7KwWZNKfnRonDndPwpCRJzIrar6Nl2JsNUnr6RDyuGx5uf4tGrfoyoV6Ny
SHy1Twkuw3KooOSg+vN1Kfr8yemLZ315QijFuvKsantNoohepIWzOofGxoc66ewP
MTk3CP14r+uCmHIp04nlz5Uv/lxg+5uFfAXX1YpBIkpoa1j+D8oUCp+3srrVASLC
Wd7iSaaDsFTjaOHtNuuHNrSlGIZgqxAf1e6Ga47uY8oFp7TEiYJHIaZEj5ORAsv4
ZGWVbPAARAnrNkGzt53u6+t2gtC7taZkWFyiymMrTzRXwIPCXFkS5sWvxG+VEleZ
rbFEMcs+i9KVvW+XNbY9CmXzjGc1LSJ+p1W8+ydtGJ8mPbQYPXpEVgo9IujQKFuq
co8DrmqPp111sfJoR0Kzv6BF5Eau+LVpI6w=
=CRo2
-----END PGP SIGNATURE-----