Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Cisco Patches Severe Flaws in Wireless LAN Controller

Cisco has released software updates to patch several critical and high severity denial-of-service (DoS) vulnerabilities in the company’s Wireless LAN Controller (WLC) products.

Cisco has released software updates to patch several critical and high severity denial-of-service (DoS) vulnerabilities in the company’s Wireless LAN Controller (WLC) products.

The most serious of the flaws, rated critical, is an issue related to the HTTP URL redirect feature of WLC software. The vulnerability (CVE-2016-1363), caused by the improper handling of HTTP traffic, allows an unauthenticated attacker to remotely trigger a buffer overflow and cause affected devices to enter a DoS condition.

The security hole affects Cisco WLC software versions 7.2, 7.3, 7.4 releases prior to 7.4.140.0(MD), 7.5, 7.6, and 8.0 releases prior to 8.0.115.0(ED).

Cisco WLC software is also affected by a high severity vulnerability (CVE-2016-1364) in the Bonjour task manager. By sending specially crafted Bonjour traffic to a vulnerable device, a remote attacker can cause it to enter a DoS condition.

The flaw exists in WLC software versions 7.4 prior to 7.4.130.0(MD), 7.5, 7.6, and 8.0 releases prior to 8.0.110.0(ED).

The last vulnerability related to Cisco WLC (CVE-2016-1362) exists in the web-based management interface of devices running AireOS software. A remote attacker can cause vulnerable devices to reload by accessing a URL that is not supported by the management interface. Cisco WLC devices running AireOS releases 4.1 through 7.4.120.0, all 7.5 releases, and release 7.6.100.0 are affected.

A DoS vulnerability has also been found in the DHCPv6 relay feature of Cisco Adaptive Security Appliance (ASA) software. A remote, unauthenticated attacker can exploit the flaw to cause a DoS condition by sending specially crafted DHCPv6 packets to affected devices.

This high severity vulnerability (CVE-2016-1367) only affects the 9.4.1 release of ASA software. Cisco ASA 5500-X series NGFs, ASA Services Module for Catalyst 6500 series switches and 7600 series routers, and Adaptive Security Virtual Appliances (ASAv) may be affected.

Advertisement. Scroll to continue reading.

Another serious DoS vulnerability (CVE-2015-6360) has been found in the Secure Real-Time Transport Protocol (SRTP) library (libSRTP). A remote attacker can trigger a DoS condition by sending malicious SRTP packets to the affected device.

This flaw impacts a wide range of Cisco products, including WebEx Meetings Server, Jabber, ASA software, IOS XE software, and over a dozen voice and unified communications devices.

Most of these vulnerabilities were discovered by Cisco’s own employees and there is no evidence that any of them have been exploited for malicious purposes. The libSRTP flaw was discovered last year by Randell Jesup of the Firefox team.

Related: Cisco Patches Command Injection Flaw in ACE Appliance

Related: Cisco Patches Critical, High Severity Flaws in NX-OS

Related: Cisco Patches Serious DoS Flaws in IOS Software

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Kenna Security co-founder Ed Bellis has joined Empirical Security as Chief Executive Officer.

Robert Shaker II has joined application security firm ActiveState as Chief Product and Technology Officer.

MorganFranklin Cyber has promoted Nick Stallone and Ferdinand Hamada into newly created roles.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.