Broken password check algorithm lets anyone log into Cisco's Wi-Fi admin software
Specially crafted credentials grant remote high-privilege access? That's a 10 out of 10 in severity
Cisco on Tuesday issued a critical security advisory for its Wireless LAN Controller (WLC), used in various Cisco products to manage wireless networks.
A vulnerability in the software's authentication code (bug type CWE-303) could allow an unauthenticated remote attacker to bypass authentication controls and login to the device via its management interface.
"This vulnerability is due to the improper implementation of the password validation algorithm," Cisco's advisory says. "An attacker could exploit this vulnerability by logging in to an affected device with crafted credentials.
"A successful exploit could allow the attacker to bypass authentication and log in to the device as an administrator."
The advisory refers to the vulnerability as CVE-2022-20695 and notes that if the flaw is successfully exploited, the attacker can gain administrator privileges. Cisco has bestowed the vulnerability with a severity rating of 10.0 out of 10.0. That's as bad as it gets for those whose rating scale does not go to 11.0, otherwise known as "the call is coming from inside the house!"
The following Cisco products are affected if they're running Cisco WLC Software Release 126.96.36.199 or Release 188.8.131.52 and have MAC Filter RADIUS Compatibility mode set to
- 3504 Wireless Controller
- 5520 Wireless Controller
- 8540 Wireless Controller
- Mobility Express
- Virtual Wireless Controller (vWLC)
That setting, if not top of mind, can be determined by entering the
show macfilter summary command in the wlc command line interface for the device.
Creating a MAC address filter on a WLC offers admins a way to grant or deny access to the WLAN network based on the client MAC address. Cisco WLCs support either local MAC authentication or MAC authentication using a RADIUS server.
The advisory, though dire, does describe potential workarounds for those who don't use MAC filters in their environment. If that's the case, just fire up the CLI and enter
config macfilter radius-compat cisco at the wlc prompt.
Even for those who do use macfilters with their Cisco gear, the CLI offers a way out by allowing modification of the macfilter compatibility setting to either
Keep in mind that Cisco is only providing these workarounds for those unable to patch immediately. The network gear biz wants customers to understand that it isn't responsible if mitigation efforts go awry.
"While these workarounds have been deployed and were proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions," the advisory cautions.
Caveat machinator. ®