skout-blog

Cybersecurity Threat Advisory 0057-19: Cisco Addresses Serious Flaws in Wireless Access Points

Advisory Overview

Cisco, one of the leading networking hardware manufacturers, routinely updates and patches components of their product line. Recently, one of these update sets applied to Cisco Aironet wireless access points (WAP’s). WAP’s extend the coverage of a WIFI network to allow for connectivity in larger areas; such as larger offices, warehouses, and campuses. Aironet is Cisco’s entry-level WAP platform and is very popular with larger small and mid-sized businesses, and therefore has a broad installation base. The patches closed vulnerabilities that could allow an external attacker to change networking configuration by sending specific URL’s into the devices, potentially gaining control of the network itself. Updating Aironet devices should be done as soon as possible to avoid the potential for an attacker using this vulnerability – contact your IT department and/or Managed Service Provider for more information.

What is the threat?

Cisco recently updated their Aironet line of wireless access point hardware devices. These patches included fixes of vulnerabilities which can allow remote network configuration manipulation through specifically crafted URL’s sent into the WAP interfaces.  This manipulation allows for bypassing of standard authentication restrictions, and therefore can allow an unauthenticated attacker to gain access to network configuration and resources normally considered secure.

Why is this noteworthy?

The most severe of the vulnerabilities discovered in these Cisco products could allow for remote unauthorized access with elevated privileges on the affected system. Such a privilege escalation attack on a company’s data and applications could prove to be costly and catastrophic. Affected access points may allow an attacker to view sensitive information, update network configurations, and disable a compromised access point, potentially resulting in a denial of service.

What is the exposure or risk?

There are over 20 Cisco products (please see list below) affected by the vulnerabilities, yet there have been no major reports of the vulnerabilities being exploited in the wild to date. https://cve.mitre.org and https://nvd.nist.gov list several CVEs referencing the exploits. Large to medium government entities and business entities are at the highest risk, due to the sheer volume of Cisco equipment implemented in these environments. In comparison, small government entities and business entities would be at medium risk and home users would be at the lowest risk. It should be noted that Aironet devices are popular with small businesses who are expanding, especially in the storage and manufacturing sectors where rapid expansion of wireless coverage may occur without significant security oversight.

What can you do?

  • Install the updates provided by Cisco immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack and, as an additional best practice, apply the Principle of Least Privilege to all systems and services including networking and network access point management.
  • Remind users not to visit websites or follow links provided by unknown or untrusted sources. This includes hyperlinks in emails, text messages, and/or phone calls in addition to links in web pages.
SYSTEMS AFFECTED:
  • Aironet 1540 Series APs
  • Aironet 1560 Series APs
  • Aironet 1800 Series APs
  • Aironet 1810 Series APs
  • Aironet 1830 Series APs
  • Aironet 1850 Series Aps
  • Aironet 2800 Series APs
  • Aironet 3800 Series APs
  • Aironet 4800 APs
  • Aironet 9100 APs
  • Firepower Management Center (FMC) Software
  • FMC Software releases earlier than Release 6.5.0
  • Wireless LAN Controller (WLC) Software releases 8.5.140.0 and earlier
  • Wireless LAN Controller (WLC) Software releases earlier than Release 8.10
  • SPA112 2-Port Phone Adapter and SPA122 ATA with Router devices that are running firmware releases 1.4.1 SR4 and earlier and that have the web-based management interface enabled.
  • 250 Series Smart Switches
  • 350 Series Managed Switches
  • 550X Series Stackable Managed Switches
  • Expressway Series and TelePresence VCS running a software release earlier than Release X12.5.4
  • TelePresence CE Software releases earlier than Release 9.8.0
  • TelePresence CE Software releases earlier than Release 9.8.1
  • SPA100 Series ATAs that were running firmware releases 1.4.1 SR3 and earlier
  • Business 200 Series Smart Switches
  • Business 300 Series Managed Switches
  • Business 500 Series Stackable Managed Switches
  • ISE Software releases earlier than Release 2.4.0 Patch 10
  • ISE releases earlier than 2.4P10 or 2.3P7
  • FindIT Network Probe versions 1.0.0 and 1.0.1
References:
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.