Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.3273
Cisco IOS XE Wireless Controller Software for the Catalyst
9000 Family Vulnerabilities
25 September 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco IOS XE Wireless Controller Software for the Catalyst 9000 Family
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Denial of Service -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-3429 CVE-2020-3428 CVE-2020-3418
CVE-2020-3399 CVE-2020-3390
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capwap-dos-TPdNTdyq
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capwap-dos-ShFzXf
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-icmpv6-qb9eYyCR
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-ewlc-snmp-dos-wNkedg9K
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dclass-dos-VKh9D8k3
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wpa-dos-cXshjerc
Comment: This bulletin contains six (6) Cisco Systems security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco IOS XE Wireless Controller Software for the Catalyst 9000 Family CAPWAP
Denial of Service Vulnerabilities
Priority: High
Advisory ID: cisco-sa-capwap-dos-TPdNTdyq
First Published: 2020 September 24 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
CWE-20
CVSS Score:
7.4 AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Summary
o Multiple vulnerabilities in the Control and Provisioning of Wireless Access
Points (CAPWAP) protocol processing of Cisco IOS XE Software for Cisco
Catalyst 9800 Series Wireless Controllers could allow an unauthenticated,
adjacent attacker to cause a denial of service (DoS) condition of an
affected device.
These vulnerabilities are due to insufficient validation of CAPWAP packets.
An attacker could exploit these vulnerabilities by sending a malformed
CAPWAP packet to an affected device. A successful exploit could allow the
attacker to cause the affected device to crash and reload, resulting in a
DoS condition on the affected device.
Cisco has released software updates that address these vulnerabilities.
There are no workarounds that address these vulnerabilities.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-capwap-dos-TPdNTdyq
This advisory is part of the September 24, 2020, release of the Cisco IOS
and IOS XE Software Security Advisory Bundled Publication, which includes
25 Cisco Security Advisories that describe 34 vulnerabilities. For a
complete list of the advisories and links to them, see Cisco Event
Response: September 2020 Semiannual Cisco IOS and IOS XE Software Security
Advisory Bundled Publication .
Affected Products
o Vulnerable Products
These vulnerabilities affect the following Cisco devices if they are
running a vulnerable release of Cisco IOS XE Software:
Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and
9500 Series Switches
Catalyst 9800 Series Wireless Controllers
Embedded Wireless Controller on Catalyst 9100 Access Points
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by these vulnerabilities.
Cisco has confirmed that these vulnerabilities do not affect the following
Cisco products:
IOS Software
IOS XR Software
NX-OS Software
Wireless LAN Controller Software
Workarounds
o There are no workarounds that address these vulnerabilities.
Fixed Software
o Cisco has released free software updates that address the vulnerabilities
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license: https://www.cisco.com/c/en/us/products/
end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides the Cisco Software Checker to identify
any Cisco Security Advisories that impact a specific software release and
the earliest release that fixes the vulnerabilities described in each
advisory ("First Fixed"). If applicable, the tool also returns the earliest
release that fixes all the vulnerabilities described in all the advisories
identified ("Combined First Fixed").
Customers can use the Cisco Software Checker to search advisories in the
following ways:
Choose the software and one or more releases
Upload a .txt file that includes a list of specific releases
Enter the output of the show version command
After initiating a search, customers can customize the search to include
all Cisco Security Advisories, a specific advisory, or all advisories in
the most recent bundled publication.
Customers can also use the following form to determine whether a release is
affected by any Cisco Security Advisory by entering a Cisco IOS or IOS XE
Software release-for example, 15.1(4)M2 or 3.13.8S :
[ ] [Check]
By default, the Cisco Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, customers can use the
Cisco Software Checker on Cisco.com and check the Medium check box in the
drop-down list under Impact Rating when customizing a search.
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to the Cisco IOS XE 2 Release Notes , Cisco IOS XE 3S
Release Notes , or Cisco IOS XE 3SG Release Notes , depending on the Cisco
IOS XE Software release.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerabilities that are
described in this advisory.
Source
o These vulnerabilities were found during internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: September 2020 Semiannual Cisco IOS and IOS XE
Software Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-capwap-dos-TPdNTdyq
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2020-SEP-24 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------------------------------------------------------------
Cisco IOS XE Wireless Controller Software for the Catalyst 9000 Family CAPWAP
Denial of Service Vulnerability
Priority: High
Advisory ID: cisco-sa-capwap-dos-ShFzXf
First Published: 2020 September 24 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvs22033
CVE-2020-3399
CWE-126
Summary
o A vulnerability in the Control and Provisioning of Wireless Access Points
(CAPWAP) protocol processing of Cisco IOS XE Software for Cisco Catalyst
9800 Series Wireless Controllers could allow an unauthenticated, remote
attacker to cause a denial of service (DoS) condition of an affected
device.
The vulnerability is due to insufficient input validation during CAPWAP
packet processing. An attacker could exploit this vulnerability by sending
a crafted CAPWAP packet to an affected device, resulting in a buffer
over-read. A successful exploit could allow the attacker to cause the
affected device to crash and reload, resulting in a DoS condition on the
affected device.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-capwap-dos-ShFzXf
This advisory is part of the September 24, 2020, release of the Cisco IOS
and IOS XE Software Security Advisory Bundled Publication, which includes
25 Cisco Security Advisories that describe 34 vulnerabilities. For a
complete list of the advisories and links to them, see Cisco Event
Response: September 2020 Semiannual Cisco IOS and IOS XE Software Security
Advisory Bundled Publication .
Affected Products
o Vulnerable Products
This vulnerability affects the following Cisco devices if they are running
a vulnerable release of Cisco IOS XE Software:
Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and
9500 Series Switches
Catalyst 9800 Series Wireless Controllers
Embedded Wireless Controller on Catalyst 9100 Access Points
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
IOS Software
IOS XR Software
NX-OS Software
Wireless LAN Controller Software
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides the Cisco Software Checker to identify
any Cisco Security Advisories that impact a specific software release and
the earliest release that fixes the vulnerabilities described in each
advisory ("First Fixed"). If applicable, the tool also returns the earliest
release that fixes all the vulnerabilities described in all the advisories
identified ("Combined First Fixed").
Customers can use the Cisco Software Checker to search advisories in the
following ways:
Choose the software and one or more releases
Upload a .txt file that includes a list of specific releases
Enter the output of the show version command
After initiating a search, customers can customize the search to include
all Cisco Security Advisories, a specific advisory, or all advisories in
the most recent bundled publication.
Customers can also use the following form to determine whether a release is
affected by any Cisco Security Advisory by entering a Cisco IOS or IOS XE
Software release-for example, 15.1(4)M2 or 3.13.8S :
[ ] [Check]
By default, the Cisco Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, customers can use the
Cisco Software Checker on Cisco.com and check the Medium check box in the
drop-down list under Impact Rating when customizing a search.
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to the Cisco IOS XE 2 Release Notes , Cisco IOS XE 3S
Release Notes , or Cisco IOS XE 3SG Release Notes , depending on the Cisco
IOS XE Software release.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o Cisco would like to thank Fabian Beck from T-Systems for reporting this
vulnerability.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: September 2020 Semiannual Cisco IOS and IOS XE
Software Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-capwap-dos-ShFzXf
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2020-SEP-24 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------------------------------------------------------------
Cisco IOS XE Wireless Controller Software for the Catalyst 9000 Family Improper
Access Control Vulnerability
Priority: Medium
Advisory ID: cisco-sa-ewlc-icmpv6-qb9eYyCR
First Published: 2020 September 24 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvr07309
CVE-2020-3418
CWE-284
CVSS Score:
4.7 AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:X/RL:X/RC:X
Summary
o A vulnerability in Cisco IOS XE Wireless Controller Software for Cisco
Catalyst 9800 Series Routers could allow an unauthenticated, adjacent
attacker to send ICMPv6 traffic prior to the client being placed into RUN
state.
The vulnerability is due to an incomplete access control list (ACL) being
applied prior to RUN state. An attacker could exploit this vulnerability by
connecting to the associated service set identifier (SSID) and sending
ICMPv6 traffic. A successful exploit could allow the attacker to send
ICMPv6 traffic prior to RUN state.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-ewlc-icmpv6-qb9eYyCR
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected the following Cisco
products if they were running a vulnerable release of Cisco IOS XE
Software:
Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and
9500 Series Switches
Catalyst 9800 Series Wireless Controllers
Embedded Wireless Controller on Catalyst 9100 Access Points
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
IOS Software
IOS XR Software
NX-OS Software
Wireless LAN Controller Software
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides the Cisco Software Checker to identify
any Cisco Security Advisories that impact a specific software release and
the earliest release that fixes the vulnerabilities described in each
advisory ("First Fixed"). If applicable, the tool also returns the earliest
release that fixes all the vulnerabilities described in all the advisories
identified ("Combined First Fixed").
Customers can use the Cisco Software Checker to search advisories in the
following ways:
Choose the software and one or more releases
Upload a .txt file that includes a list of specific releases
Enter the output of the show version command
After initiating a search, customers can customize the search to include
all Cisco Security Advisories, a specific advisory, or all advisories in
the most recent bundled publication.
Customers can also use the following form to determine whether a release is
affected by any Cisco Security Advisory by entering a Cisco IOS or IOS XE
Software release-for example, 15.1(4)M2 or 3.13.8S :
[ ] [Check]
By default, the Cisco Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, customers can use the
Cisco Software Checker on Cisco.com and check the Medium check box in the
drop-down list under Impact Rating when customizing a search.
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to the Cisco IOS XE 2 Release Notes , Cisco IOS XE 3S
Release Notes , or Cisco IOS XE 3SG Release Notes , depending on the Cisco
IOS XE Software release.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-ewlc-icmpv6-qb9eYyCR
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2020-SEP-24 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------------------------------------------------------------
Cisco IOS XE Wireless Controller Software for the Catalyst 9000 Family SNMP
Trap Denial of Service Vulnerability
Priority: High
Advisory ID: cisco-sa-iosxe-ewlc-snmp-dos-wNkedg9K
First Published: 2020 September 24 16:00 GMT
Version 1.0: Final
Workarounds: Yes
Cisco Bug IDs: CSCvs56562
CVE-2020-3390
CWE-20
CVSS Score:
7.4 AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in Simple Network Management Protocol (SNMP) trap
generation for wireless clients of the Cisco IOS XE Wireless Controller
Software for the Cisco Catalyst 9000 Family could allow an unauthenticated,
adjacent attacker to cause the device to unexpectedly reload, causing a
denial of service (DoS) condition on an affected device.
The vulnerability is due to the lack of input validation of the information
used to generate an SNMP trap in relation to a wireless client connection.
An attacker could exploit this vulnerability by sending an 802.1x packet
with crafted parameters during the wireless authentication setup phase of a
connection. A successful exploit could allow the attacker to cause the
device to reload, causing a DoS condition.
Cisco has released software updates that address this vulnerability. There
are workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-iosxe-ewlc-snmp-dos-wNkedg9K
This advisory is part of the September 24, 2020, release of the Cisco IOS
and IOS XE Software Security Advisory Bundled Publication, which includes
25 Cisco Security Advisories that describe 34 vulnerabilities. For a
complete list of the advisories and links to them, see Cisco Event
Response: September 2020 Semiannual Cisco IOS and IOS XE Software Security
Advisory Bundled Publication .
Affected Products
o Vulnerable Products
This vulnerability affects Cisco IOS XE Wireless Controller Software for
the Cisco Catalyst 9000 Family if the device is running a vulnerable
release and is configured to send SNMP traps for 802.1x wireless
connections. The following hardware platforms are vulnerable:
Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and
9500 Series Switches
Catalyst 9800 Series Wireless Controllers
Embedded Wireless Controller on Catalyst 9100 Access Points
For more information about which Cisco software releases are vulnerable,
see the Fixed Software section of this advisory.
Determine Whether a Device Is configured for SNMP trapflags for 802.1x
To determine whether any SNMP trapflags for 802.1x clients are enabled for
a device, log in to the device and use the show running-config | include
trapflags client dot11 command on the CLI to check for the presence of any
command in the form trapflags client dot11 in the global configuration. If
any output is returned then the device is vulnerable. This vulnerability is
specific to the 802.1x SNMP traps, which are indicated by the dot11 in the
CLI command output.
The following example shows the output of the show running-config | include
trapflags client dot11 command for a device that has SNMP trapflags
configured:
Router# show running-config | include trapflags client dot11
trapflags client dot11 assocfail
trapflags client dot11 associate
trapflags client dot11 authenticate
trapflags client dot11 authfail
trapflags client dot11 deauthenticate
trapflags client dot11 disassociate
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco software:
IOS Software
IOS XR Software
NX-OS Software
WLC Software
Workarounds
o There is a workaround that addresses this vulnerability.
The workaround for this vulnerability is to remove all commands from the
running configuration of the form trapflags client dot11 . These commands
cause an SNMP trap to be generated for specific states of the wireless
connection to the device, and that SNMP trap generation function causes the
device to be vulnerable. If the wireless network does not require SNMP
traps, it is considered a valid workaround to remove these commands.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides the Cisco Software Checker to identify
any Cisco Security Advisories that impact a specific software release and
the earliest release that fixes the vulnerabilities described in each
advisory ("First Fixed"). If applicable, the tool also returns the earliest
release that fixes all the vulnerabilities described in all the advisories
identified ("Combined First Fixed").
Customers can use the Cisco Software Checker to search advisories in the
following ways:
Choose the software and one or more releases
Upload a .txt file that includes a list of specific releases
Enter the output of the show version command
After initiating a search, customers can customize the search to include
all Cisco Security Advisories, a specific advisory, or all advisories in
the most recent bundled publication.
Customers can also use the following form to determine whether a release is
affected by any Cisco Security Advisory by entering a Cisco IOS or IOS XE
Software release-for example, 15.1(4)M2 or 3.13.8S :
[ ] [Check]
By default, the Cisco Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, customers can use the
Cisco Software Checker on Cisco.com and check the Medium check box in the
drop-down list under Impact Rating when customizing a search.
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to the Cisco IOS XE 2 Release Notes , Cisco IOS XE 3S
Release Notes , or Cisco IOS XE 3SG Release Notes , depending on the Cisco
IOS XE Software release.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during the resolution of a Cisco TAC support
case.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: September 2020 Semiannual Cisco IOS and IOS XE
Software Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-iosxe-ewlc-snmp-dos-wNkedg9K
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2020-SEP-24 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------------------------------------------------------------
Cisco IOS XE Wireless Controller Software for the Catalyst 9000 Family WLAN
Local Profiling Denial of Service Vulnerability
Priority: High
Advisory ID: cisco-sa-dclass-dos-VKh9D8k3
First Published: 2020 September 24 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvr96076
CVE-2020-3428
CWE-20
CVSS Score:
7.4 AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in the WLAN Local Profiling feature of Cisco IOS XE
Wireless Controller Software for the Cisco Catalyst 9000 Family could allow
an unauthenticated, adjacent attacker to cause a denial of service (DoS)
condition on an affected device.
The vulnerability is due to incorrect parsing of HTTP packets while
performing HTTP-based endpoint device classifications. An attacker could
exploit this vulnerability by sending a crafted HTTP packet to an affected
device. A successful exploit could cause an affected device to reboot,
resulting in a DoS condition.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
Note : The WLAN Local Profiling feature is disabled by default.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-dclass-dos-VKh9D8k3
This advisory is part of the September 24, 2020, release of the Cisco IOS
and IOS XE Software Security Advisory Bundled Publication, which includes
25 Cisco Security Advisories that describe 34 vulnerabilities. For a
complete list of the advisories and links to them, see Cisco Event
Response: September 2020 Semiannual Cisco IOS and IOS XE Software Security
Advisory Bundled Publication .
Affected Products
o Vulnerable Products
This vulnerability affects Cisco IOS XE Wireless Controller Software for
the Cisco Catalyst 9000 Family if a device is running a vulnerable software
release and has the WLAN Local Profiling feature enabled with HTTP-based
profiling. All other profiling methods are not affected by this
vulnerability. The following hardware platforms are vulnerable:
Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and
9500 Series Switches
Catalyst 9800 Series Wireless Controllers
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Determine if the Device is Configured for WLAN Local Profiling
To determine if WLAN Local Profiling is enabled for a device, log in to the
device and check the running-config to verify that the following elements
are configured.
The device classifier is a global command and the http-tlv-caching is
configured under each WLAN profile policy. If both of these elements are
present, then the configuration is vulnerable.
device classifier
wireless profile policy (name)
http-tlv-caching
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
Embedded Wireless Controller on Catalyst 9100 Access Points
IOS Software
IOS XR Software
NX-OS Software
WLC Software
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license: https://www.cisco.com/c/en/us/products/
end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides the Cisco Software Checker to identify
any Cisco Security Advisories that impact a specific software release and
the earliest release that fixes the vulnerabilities described in each
advisory ("First Fixed"). If applicable, the tool also returns the earliest
release that fixes all the vulnerabilities described in all the advisories
identified ("Combined First Fixed").
Customers can use the Cisco Software Checker to search advisories in the
following ways:
Choose the software and one or more releases
Upload a .txt file that includes a list of specific releases
Enter the output of the show version command
After initiating a search, customers can customize the search to include
all Cisco Security Advisories, a specific advisory, or all advisories in
the most recent bundled publication.
Customers can also use the following form to determine whether a release is
affected by any Cisco Security Advisory by entering a Cisco IOS or IOS XE
Software release-for example, 15.1(4)M2 or 3.13.8S :
[ ] [Check]
By default, the Cisco Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, customers can use the
Cisco Software Checker on Cisco.com and check the Medium check box in the
drop-down list under Impact Rating when customizing a search.
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to the Cisco IOS XE 2 Release Notes , Cisco IOS XE 3S
Release Notes , or Cisco IOS XE 3SG Release Notes , depending on the Cisco
IOS XE Software release.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during the resolution of a Cisco TAC support
case.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: September 2020 Semiannual Cisco IOS and IOS XE
Software Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-dclass-dos-VKh9D8k3
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2020-SEP-24 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------------------------------------------------------------
Cisco IOS XE Wireless Controller Software for the Catalyst 9000 Family WPA
Denial of Service Vulnerability
Priority: High
Advisory ID: cisco-sa-wpa-dos-cXshjerc
First Published: 2020 September 24 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvr69019
CVE-2020-3429
CWE-20
CVSS Score:
7.4 AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in the WPA2 and WPA3 security implementation of Cisco IOS
XE Wireless Controller Software for the Cisco Catalyst 9000 Family could
allow an unauthenticated, adjacent attacker to cause denial of service
(DoS) condition on an affected device.
The vulnerability is due to incorrect packet processing during the WPA2 and
WPA3 authentication handshake when configured for dot1x or pre-shared key
(PSK) authentication key management (AKM) with 802.11r BSS Fast Transition
(FT) enabled. An attacker could exploit this vulnerability by sending a
crafted authentication packet to an affected device. A successful exploit
could cause an affected device to reload, resulting in a DoS condition.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
Note : Valid credentials for dot1x or PSK AKM to access the WLAN are
required to exploit this vulnerability
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-wpa-dos-cXshjerc
This advisory is part of the September 24, 2020, release of the Cisco IOS
and IOS XE Software Security Advisory Bundled Publication, which includes
25 Cisco Security Advisories that describe 34 vulnerabilities. For a
complete list of the advisories and links to them, see Cisco Event
Response: September 2020 Semiannual Cisco IOS and IOS XE Software Security
Advisory Bundled Publication .
Affected Products
o Vulnerable Products
This vulnerability affects Cisco IOS XE Wireless Controller Software for
the Cisco Catalyst 9000 Family if a device is running a vulnerable software
release with dot1x or PSK AKM configured and has the FT feature enabled
within a WLAN. The following hardware platforms are vulnerable:
Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and
9500 Series Switches
Catalyst 9800 Series Wireless Controllers
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Determine the Device Configuration
To determine if a device has a vulnerable configuration, log in to the
device and execute the show running-config all CLI command. Some
configuration elements are default and will not be displayed without the
all parameter.
For a vulnerable AKM configuration, verify if any of the following elements
are configured:
A WLAN using dot1x AKM will have security wpa akm dot1x or security wpa
akm ft dot1x configured.
A WLAN using PSK AKM will have security wpa akm psk or security wpa akm
ft psk configured.
To verify if FT is enabled within a WLAN configured with a vulnerable AKM,
confirm if either element listed below is present:
security ft
security ft adaptive
Vulnerable configuration examples are as follows:
Dot1x
Dot1x with Adaptive 11r WLAN:
wlan dot1x 1 dot1x
security ft adaptive
security wpa akm dot1x
security dot1x authentication-list eap_methods
no shutdown
11r-dot1x WLAN:
wlan 11r-dot1x 2 11r-dot1x
security ft
security wpa akm ft dot1x
security dot1x authentication-list eap_methods
no shutdown
PSK
PSK with Adaptive 11r WLAN:
wlan psk 3 psk
security ft adaptive
security wpa psk set-key ascii 0 cisco123
no security wpa akm dot1x
security wpa akm psk
no shutdown
11r-PSK WLAN:
wlan 11r-psk 4 11r-psk
security ft
security wpa psk set-key ascii 0 cisco123
no security wpa akm dot1x
security wpa akm ft psk
no shutdown
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
Embedded Wireless Controller on Catalyst 9100 Access Points
IOS Software
IOS XR Software
NX-OS Software
WLC Software
Workarounds
o There are no workarounds that address this vulnerability.
However, customers can disable the 802.11r Fast Transition (FT) feature as
a mitigation. Executing the no security ft or no security ft adaptive
command will disable this feature and prevent this exploit. The following
examples are for dot1x.
Note : Before making this configuration change, ensure that the WLAN is in
a shutdown state.
11r-dot1x WLAN:
wlan 11r-dot1x 2 11r-dot1x
no security ft
security wpa akm ft dot1x
security dot1x authentication-list eap_methods
no shutdown
Dot1x with Adaptive 11r WLAN:
wlan dot1x 1 dot1x
no security ft adaptive
security wpa akm dot1x
security dot1x authentication-list eap_methods
no shutdown
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides the Cisco Software Checker to identify
any Cisco Security Advisories that impact a specific software release and
the earliest release that fixes the vulnerabilities described in each
advisory ("First Fixed"). If applicable, the tool also returns the earliest
release that fixes all the vulnerabilities described in all the advisories
identified ("Combined First Fixed").
Customers can use the Cisco Software Checker to search advisories in the
following ways:
Choose the software and one or more releases
Upload a .txt file that includes a list of specific releases
Enter the output of the show version command
After initiating a search, customers can customize the search to include
all Cisco Security Advisories, a specific advisory, or all advisories in
the most recent bundled publication.
Customers can also use the following form to determine whether a release is
affected by any Cisco Security Advisory by entering a Cisco IOS or IOS XE
Software release-for example, 15.1(4)M2 or 3.13.8S :
[ ] [Check]
By default, the Cisco Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, customers can use the
Cisco Software Checker on Cisco.com and check the Medium check box in the
drop-down list under Impact Rating when customizing a search.
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to the Cisco IOS XE 2 Release Notes , Cisco IOS XE 3S
Release Notes , or Cisco IOS XE 3SG Release Notes , depending on the Cisco
IOS XE Software release.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during the resolution of a Cisco TAC support
case.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: September 2020 Semiannual Cisco IOS and IOS XE
Software Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-wpa-dos-cXshjerc
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2020-SEP-24 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX20i8eNLKJtyKPYoAQg0qA//c9FmgGMFU3oa7OuYPi+0HTe8HnhRqo4x
iqlxeI0fguYx6V59vO0RY0/obfw8NIe5U1SlYSFlpUxmwVk7SNfsmu5KOjWDbsiT
R5a/jMtew/BLij/eGY2bKbxpjQYznytV2PehBGZjenAaikVryTzz/v6EQXewVAUV
W+R+y7z7rSCgDpFVFNuhirX+RasqyB/34RlTR+CUtNIj6SurXTVfrMYoTYbQgEP8
QbSG1jpXycwfXBs6v3oMckiLwHjrD4SL/Ts6c4KL9jOxw89norX3DqgqohiU+Q9P
jif3QDYgniFqq9k8pmSZAiuNG8FlJhxwVjQYeMjBVSXaYLm62Rmhqnb/Zxcg6IYJ
oD+edDCSicpwOw/RdCWRpD0a49DqwweA/w3s3gl9+MVPlZXO43bSnfURMVKwizLZ
XpAf0CHtkRuuW49/ZwWo5d2uo0UR75KfqThOtzm6HPYzh9DnFOshLlZ3p4zHJmSV
VBH3MAjI3HtOBBDKYwoAvvkNqkuc9sXPjE9RJ15xPHTUfLeeUZ/Fr0yVK63Phy6Z
wTdddjWoe8v07BEQHD/siSIIVqJISzoaW3q1DY/lehnPf9NkS2f2nUcoFDUSDqXf
6+4ns5Ew/rweYVt2+XeWrf97ZjD4rmzmbPrEZJRrQdVhcwPtTBstZl0h6Pq1D6b6
PXkXDWbHUzY=
=dfvJ
-----END PGP SIGNATURE-----