Auth bypass flaw in Cisco Wireless LAN Controller Software allows device takeover

Cisco fixed a critical flaw in Cisco Wireless LAN Controller (WLC) that could allow an unauthenticated, remote attacker to take control affected devices.

Cisco has released security patches to fix a critical vulnerability (CVSS score 10), tracked as CVE-2022-20695, in Cisco Wireless LAN Controller (WLC). A remote, unauthenticated attacker could exploit the flaw to bypass authentication and log in to the device through the management interface.

The vulnerability resides in the authentication feature of Cisco Wireless LAN Controller (WLC) Software.

“This vulnerability is due to the improper implementation of the password validation algorithm. An attacker could exploit this vulnerability by logging in to an affected device with crafted credentials. A successful exploit could allow the attacker to bypass authentication and log in to the device as an administrator.” reads the advisory published by Cisco. “The attacker could obtain privileges that are the same level as an administrative user but it depends on the crafted credentials.”

This vulnerability affects Cisco products running Cisco WLC Software Release 8.10.151.0 or Release 8.10.162.0 and have macfilter radius compatibility configured as Other:

• 3504 Wireless Controller
• 5520 Wireless Controller
• 8540 Wireless Controller
• Mobility Express
• Virtual Wireless Controller (vWLC)

Users can determine whether the Cisco WLC configuration is vulnerable using the show macfilter summary CLI command.

wlc > show macfilter summary 

The CVE-2022-20695 vulnerability does not affect the following products:

• Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
• Catalyst 9800 Series Wireless Controllers
• Catalyst 9800 Wireless Controller for Cloud
• Embedded Wireless Controller on Catalyst Access Points
• Wireless LAN Controller (WLC) AireOS products not listed in the Vulnerable Products section

Below are the Cisco software releases that address this issue:

Cisco Wireless LAN Controller Release	First Fixed Release
8.9 and earlier	Not vulnerable
8.10.142.0 and earlier	Not vulnerable
8.10.151.0 and later	8.10.171.0

The Cisco PSIRT is not aware of any attack in the wild exploiting this vulnerability

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Cisco Wireless LAN Controller)

[adrotate banner=”5″]

[adrotate banner=”13″]