Cisco Wireless LAN Controller Multiple Vulnerabilities

#TRUSTED 6680ded40a5c397fc7c63055599e5116482ad2abee55c281b5c88a21fc6340180e2c902bba17da75f63bb488d281e7862f49a1a291626db7d85bb5e5d0231957f7bd58e44c49a793d3c1a00a3bded8668a21b733346594e462b8a523624d281930a8b9ca0d29f02d0946630962e5573ab3ea1335b6f62e33af143d25129be5cb90f47dc1bd0a769bb7361057bb1c34a23170c577c605b356fb246eb19eb2303f4bddd9df83a463691593a3dd1797dbc7493dbf2a19d62934283a5bddcbcd7e17795f07c65491213724c06c2b6cb74ace469eda2146541c74d92cf00a1d075f109d2f2b9250874c1fc81a8201b02975063e7dd092a326d6975e96bb33332dea6cd86a2dc2739574cf05f673368528635f0016e33ce915f3a83cb1cae1abac814816e951cb658c741ccfd11b06a400638a35e1f2dfbd5ecf378c97c0f68d00d920c66ca4c5d08ef996455b4d9f817f0ac864b12f6a4a6e274626a35841e4275e162c52a57c746551e9837c42790eb0aafb70b853aeebd21e8f75bae447f3c183ab7a6af3d8027ff4a957d49a76ef2a78049d4477dd1ffea26eda05e9c5a0c4b115e7c7d5b0dda07bedf8a3865601db4d9b695e97aee14ebc0688363cf86fb38ea375a8e3fcbb650f6e9b11ce1b06e1f1c69cbc9959697c937379970d44a9685a172d3fef1c1c462ba833f7c2b8f152fa7141abb940693f78fe60e754c60326e955
#TRUST-RSA-SHA256 154fac228ee9bd3c25e50f3840f821b085d2b910694df2b80d015b4c5cfc8de736a1849f8aee482d6d9ea7d5bc4736c827a76d6050f204ac702bf8aa5a7d0f172884bd518ae4eff373b1aa8a721c551cb78785dbd591a1abaa2040b0ae3fa56d71d46ef2f8e9ec0fbf6603f3d30750c88607efed4cbd80e34051e6c23ff114e4a02048ba31f57494d8b0a50fc0156121b9ab85023284ce29e0c6f1b817410787420e63ef4cf5bd2df9197db8ed40b4da29e79e7e677468e28ee2dab93a8076bf1e0eff779f840bbeca8055ebe04d135f12f7872b1e3aac7f271c9185b588cb86bc7c2c9079966c09a522df0e59bfd8e9c1e11c3c4f53485509c9ffb8ee05d8c00bf31de8bff42a8ad47e646eacceddc5cc60d64cbab92aeece70ef8b4f5dd9f344f563e3d8df635dab6c6b0fe16f1c92408f9d424d6bb692a87edc68e179fe7490104b5f75b35eb354bbd1f91d5635cbecab2ea73118aec46251767aa29ba764d531baad335ab1fd15d1926b27bd9b5ac152c17f0742d0b104bec4699a9e80972a509c30f84e5229a04bb371ad5c1ccddc49435d81f40d95cd71b4a88e5aca8dcf4cfaca2ab1342c525d35256cd34ae50be43ad0847dbd3c7a42b3a93f1cab3bca48e3e8933816c9e4ad11b06c0271e6f61645fb56d25b5335972d262812d5d870bcf5587b9a45cb0c629ef606f856236d06e9fef6565ae7f2cd4dc1598f81bf
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(118461);
  script_version("1.12");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/07/29");

  script_cve_id(
    "CVE-2018-0417",
    "CVE-2018-0441",
    "CVE-2018-0442",
    "CVE-2018-0443"
  );
  script_bugtraq_id(
    105664,
    105667,
    105680,
    105686
  );
  script_xref(name:"CISCO-BUG-ID", value:"CSCvf66680");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvh65876");
  script_xref(name:"CISCO-BUG-ID", value:"CSCve64652");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvf66696");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20181017-wlc-capwap-memory-leak");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20181017-wlc-gui-privesc");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20181017-ap-ft-dos");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20181017-wlc-capwap-dos");

  script_name(english:"Cisco Wireless LAN Controller Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the Cisco Wireless LAN
Controller (WLC) is affected by the following vulnerabilities:

  - A privilege escalation vulnerability due to improper parsing
    of a specific TACACS attribute. A remote attacker,
    authenticating to TACACs via the GUI, could create a local
    account with administrative privileges. (CVE-2018-0417)

  - A denial of service vulnerability due to flaws with specific
    timer mechanisms. A remote attacker could potentially cause
    the timer to crash resulting in a DoS condition.
    (CVE-2018-0441)

  - An information disclosure vulnerability due to insufficient
    checks when handling Control and Provisioning of Wireless
    Access Point keepalive requests. A remote attacker, with a
    specially crafted CAPWAP keepalive packet, could potentially
    read the devices memory. (CVE-2018-0442)

  - A denial of service vulnerability due to improper validation
    of CAPWAP discovery request packets. A remote attacker could
    potentially disconnect associated APs, resulting in a DoS
    condition. (CVE-2018-0443)

Please see the included Cisco BIDs and the Cisco Security Advisory for
more information.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-wlc-capwap-memory-leak
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5e14b610");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-wlc-capwap-dos
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4d106cd6");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-wlc-gui-privesc
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e4eb02b4");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-ap-ft-dos
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c9605ddd");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf66680");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf66696");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvh65876");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve64652");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID(s)
CSCvf66680, CSCvh65876, CSCve64652, and CSCvf66696.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-0442");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2018-0417");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/10/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/10/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/26");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cpe:/h:cisco:wireless_lan_controller");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2018-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_wlc_version.nasl");
  script_require_keys("Host/Cisco/WLC/Version", "Host/Cisco/WLC/Port");

  exit(0);
}

include("audit.inc");
include("cisco_workarounds.inc");
include("ccf.inc");
include("global_settings.inc");

product_info = cisco::get_product_info(name:"Cisco Wireless LAN Controller (WLC)");

vuln_ranges = [
  { 'min_ver' : '0.0', 'fix_ver' : '8.3.140.0' },
  { 'min_ver' : '8.4', 'fix_ver' : '8.5.131.0' },
  { 'min_ver' : '8.6', 'fix_ver' : '8.7.102.0' }
];

workarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);
workaround_params = make_list();

reporting = make_array(
  'port'     , product_info['port'],
  'severity' , SECURITY_WARNING,
  'version'  , product_info['version'],
  'bug_id'   , "CSCvf66680, CSCvh65876, CSCve64652, and CSCvf66696"
);

cisco::check_and_report(product_info:product_info, workarounds:workarounds, workaround_params:workaround_params, reporting:reporting, vuln_ranges:vuln_ranges);