Broken Password Check Algorithm Lets Anyone Log Into Cisco's Wi-Fi Admin Software

Cisco on Tuesday issued a critical security advisory for its Wireless LAN Controller (WLC), used in various Cisco products to manage wireless networks.

A vulnerability in the software's authentication code (bug type CWE-303) could allow an unauthenticated remote attacker to bypass authentication controls and login to the device via its management interface.

"This vulnerability is due to the improper implementation of the password validation algorithm," Cisco's advisory says. "An attacker could exploit this vulnerability by logging in to an affected device with crafted credentials.

"A successful exploit could allow the attacker to bypass authentication and log in to the device as an administrator."

The advisory refers to the vulnerability as CVE-2022-20695 and notes that if the flaw is successfully exploited, the attacker can gain administrator privileges. Cisco has bestowed the vulnerability with a severity rating of 10.0 out of 10.0. That's as bad as it gets for those whose rating scale does not go to 11.0, otherwise known as "the call is coming from inside the house!"

The following Cisco products are affected if they're running Cisco WLC Software Release 8.10.151.0 or Release 8.10.162.0 and have MAC Filter RADIUS Compatibility mode set to Other:

• 3504 Wireless Controller
• 5520 Wireless Controller
• 8540 Wireless Controller
• Mobility Express
• Virtual Wireless Controller (vWLC)

That setting, if not top of mind, can be determined by entering the show macfilter summary command in the wlc command line interface for the device.

Creating a MAC address filter on a WLC offers admins a way to grant or deny access to the WLAN network based on the client MAC address. Cisco WLCs support either local MAC authentication or MAC authentication using a RADIUS server.

The advisory, though dire, does describe potential workarounds for those who don't use MAC filters in their environment. If that's the case, just fire up the CLI and enter config macfilter radius-compat cisco at the wlc prompt.

Even for those who do use macfilters with their Cisco gear, the CLI offers a way out by allowing modification of the macfilter compatibility setting to either cisco or free.

Keep in mind that Cisco is only providing these workarounds for those unable to patch immediately. The network gear biz wants customers to understand that it isn't responsible if mitigation efforts go awry.

"While these workarounds have been deployed and were proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions," the advisory cautions.

Caveat machinator. ®

Speaking of severe bugs, HP this month updated its Teradici PCoIP client to close off a bunch of libexpat security flaws as well as the OpenSSL DoS hole that we covered earlier.