How To Fix CVE-2022-20695- A Critical Authentication Bypass Vulnerability In Cisco WLC

Recently, CISCO released patches to a critical vulnerability found in Wi-Fi LAN Controllers. This vulnerability could allow attackers to bypass authentication. Tracked as CVE-2022-20695, the vulnerability has a CVSS score of 10 out of 10 and allows an attacker to get control of an affected system. Considering its severity and impact, it’s essential to fix the vulnerability as soon as possible. This article will show you how to fix CVE-2022-20695, a critical authentication bypass vulnerability in Cisco WLC.

About Cisco Wireless LAN Controller

Cisco Wireless LAN Controller is a device that connects wireless access points to a wired network. It centrally manages various wireless settings and policies, making it ideal for enterprise-level or large-scale deployments. Cisco WLCs also offer advanced features such as RF management, spectrum analysis, and load balancing. Cisco offers a wide range of WLC models to cater to different needs.

Cisco WLCs are widely deployed in enterprises and campuses worldwide. They offer many benefits over traditional distributed architectures, such as reduced complexity and lower costs. In addition, Cisco WLCs provides a unified management platform for Cisco access points, making it easy to configure and manage large-scale deployments.

The Cisco Wireless LAN Controllerr (WLC) is a key component of the Cisco Unified Wireless Network. WLCs manage and control wireless access points (APs), enforce security policies, forward traffic, and perform other functions in the wireless network. Cisco WLCs are available in a variety of form factors and configurations to meet the needs of small, medium, and large organizations.

Some of the key features of Cisco WLCs include:

Cisco WLCs are an essential part of Cisco Unified Wireless Network solutions, which provide end-to-end wireless networking from the edge of the network to the data center. Cisco Unified Wireless Network solutions can be deployed in a variety of ways to meet the needs of small, medium, and large organizations.

Summary Of CVE-2022-20695

A vulnerability, CVE-2022-20695, is detected in the Cisco WLC authentication functionality that allows an unauthenticated, remote attacker to bypass authentication and log in to devices via a management interface.

Cisco advisory says that this vulnerability exists due to improper implementation of password validation algorithms. Attackers could exploit this vulnerability by logging in to a compromised device with crafted credentials. 

A successful attack could allow intruders to bypass authentication and log in to the system as an administrator. It allows an attacker to get the same privilege level as an administrator. However, it depends on crafted credentials.

Cisco WLC Products Affected By This Authentication Bypass Vulnerability

CVE-2022-20695 affects the following products if they are running Cisco WLC Software Release 8.10.151.0 or Release 8.10.162.0 with macfilter radius compatibility configured as Other. 

Cisco WLC Products Not Affected By This Authentication Bypass Vulnerability

Only the products listed above are known to be affected by this vulnerability. Cisco has confirmed that the following products are not affected by the CVE-2022-20695. No action is needed for these products.

How To Fix CVE-2022-20695- A Critical Authentication Bypass Vulnerability In Cisco WLC?

To fix the flaw, Cisco recommends upgrading WLC’s software version to 8.10.171.0. For the users who can’t upgrade their WLCs at any time soon, there are workarounds available that address this flaw. Let’s see them. This fix is not applicable for software v8.10.142.0 and earlier.

Follow these steps to download the software from the Cisco Software Center.

How To Apply The Workaround For CVE-2022-20695?

There are different ways to apply the workaround. Choose any one of them based on your Environment.

Option 01: No Macfilters in the Environment

If you don’t utilize macfilters, then you can reset the mac filter radius compatibility mode to a default value. 
wlc > config macfilter radius-compat cisco

Option 02: Mac filter in the Environment

If you don’t utilize macfilters and change the radius server configuration to match possible compatibility modes, then you can change the mac filter compatibility to either Cisco or Free using one of these CLI commands.
wlc > config macfilter radius-compat cisco
wlc > config macfilter radius-compat free

Cisco says that these workarounds have been deployed and tested successfully in a test environment. Therefore, you must determine the effectiveness and applicability in your Environment. 

Caution: You should be aware that any mitigation or workaround implemented may negatively impact the performance and functionality of their network depending on intrinsic customer deployment cases and limitations. You should not deploy any workaround before evaluating the applicability to their Environment. 

We hope this post would help you know how to fix CVE-2022-20695- A critical Authentication Bypass Vulnerability in the Cisco WLC management interface. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr,  Medium & Instgram, and subscribe to receive updates like this. 

You may also like these articles: