Pierluigi Paganini October 17, 2019

A critical flaw in Aironet access points (APs) can be exploited by a remote attacker to gain unauthorized access to vulnerable devices.

Cisco disclosed a critical vulnerability in Aironet access points (APs), tracked as CVE-2019-15260, that can be exploited by a remote, unauthenticated attacker to gain unauthorized access to vulnerable devices with elevated privileges. This vulnerability was discovered during the resolution of a Cisco TAC support case.

Cisco has already released software updates that address the flaw, the company pointed out that there are no workarounds that fix this vulnerability.

The flaw is caused by insufficient access control for some URLs, an attacker could exploit the flaw by simply requesting the unprotected URLs.

“The vulnerability is due to insufficient access control for certain URLs on an affected device. An attacker could exploit this vulnerability by requesting specific URLs from an affected AP. An exploit could allow the attacker to gain access to the device with elevated privileges.” reads the security advisory published by Cisco.

The vulnerability affects Aironet 1540, 1560, 1800, 2800, 3800 and 4800 series APs. Cisco released versions 8.5.151.0, 8.8.125.0 and 8.9.111.0 to address the vulnerability.

Cisco revealed that there is no evidence of attacks exploiting the flaw in the wild.

Aironet APs are also affected by two high-severity flaws that can be exploited by an unauthenticated attacker to trigger a denial-of-service (DoS) condition.

The first flaw, tracked as CVE-2019-15261, impacts the Point-to-Point Tunneling Protocol (PPTP) VPN packet processing functionality.

“A vulnerability in the Point-to-Point Tunneling Protocol (PPTP) VPN packet processing functionality in Cisco Aironet Access Points (APs) could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition.” states the Cisco advisory. “The vulnerability is due to insufficient validation of Generic Routing Encapsulation (GRE) frames that pass through the data plane of an affected AP. An attacker could exploit this vulnerability by associating to a vulnerable AP, initiating a PPTP VPN connection to an arbitrary PPTP VPN server, and sending a malicious GRE frame through the data plane of the AP. A successful exploit could allow the attacker to cause an internal process of the targeted AP to crash, which in turn would cause the AP to reload. The AP reload would cause a DoS condition for clients that are associated with the AP.“

The second flaw, tracked as CVE-2019-15264, while the other resides in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol.

“A vulnerability in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol implementation of Cisco Aironet and Catalyst 9100 Access Points (APs) could allow an unauthenticated, adjacent attacker to cause an affected device to restart unexpectedly, resulting in a denial of service (DoS) condition.” reads the security advisory published by Cisco.

“The vulnerability is due to improper resource management during CAPWAP message processing. An attacker could exploit this vulnerability by sending a high volume of legitimate wireless management frames within a short time to an affected device. A successful exploit could allow the attacker to cause a device to restart unexpectedly, resulting in a DoS condition for clients associated with the AP.”

Pierluigi Paganini

(SecurityAffairs – Cisco Aironet APs, zero-day)

[adrotate banner=”5″]

[adrotate banner=”13″]