Recently, CISCO released patches to a critical vulnerability found in Wi-Fi LAN Controllers. This vulnerability could allow attackers to bypass authentication. Tracked as CVE-2022-20695, the vulnerability has a CVSS score of 10 out of 10 and allows an attacker to get control of an affected system. Considering its severity and impact, it’s essential to fix the vulnerability as soon as possible. This article will show you how to fix CVE-2022-20695, a critical authentication bypass vulnerability in Cisco WLC.
Table of Contents
About Cisco Wireless LAN Controller
Cisco Wireless LAN Controller is a device that connects wireless access points to a wired network. It centrally manages various wireless settings and policies, making it ideal for enterprise-level or large-scale deployments. Cisco WLCs also offer advanced features such as RF management, spectrum analysis, and load balancing. Cisco offers a wide range of WLC models to cater to different needs.
Cisco WLCs are widely deployed in enterprises and campuses worldwide. They offer many benefits over traditional distributed architectures, such as reduced complexity and lower costs. In addition, Cisco WLCs provides a unified management platform for Cisco access points, making it easy to configure and manage large-scale deployments.
The Cisco Wireless LAN Controllerr (WLC) is a key component of the Cisco Unified Wireless Network. WLCs manage and control wireless access points (APs), enforce security policies, forward traffic, and perform other functions in the wireless network. Cisco WLCs are available in a variety of form factors and configurations to meet the needs of small, medium, and large organizations.
Some of the key features of Cisco WLCs include:
- Scalability: Cisco WLCs can support up to 40,000 clients and thousands of APs.
- High availability: Cisco WLCs can be deployed in redundant pairs for increased uptime.
- Flexible deployment options: Cisco WLCs can be deployed on-premises, in the cloud, or as a virtual appliance.
- Cisco DNA support: Cisco WLCs work with Cisco DNA to simplify network management and enable advanced features such as location services and security analytics.
Cisco WLCs are an essential part of Cisco Unified Wireless Network solutions, which provide end-to-end wireless networking from the edge of the network to the data center. Cisco Unified Wireless Network solutions can be deployed in a variety of ways to meet the needs of small, medium, and large organizations.
Summary Of CVE-2022-20695
A vulnerability, CVE-2022-20695, is detected in the Cisco WLC authentication functionality that allows an unauthenticated, remote attacker to bypass authentication and log in to devices via a management interface.
Cisco advisory says that this vulnerability exists due to improper implementation of password validation algorithms. Attackers could exploit this vulnerability by logging in to a compromised device with crafted credentials.
A successful attack could allow intruders to bypass authentication and log in to the system as an administrator. It allows an attacker to get the same privilege level as an administrator. However, it depends on crafted credentials.
|Associated CVE ID||CVE-2022-20695|
|Description||A Critical Authentication Bypass Vulnerability in Cisco WLC Management Interface.|
|Associated ZDI ID||–|
|CVSS Score||10 Critical|
|Attack Vector (AV)||Network|
|Attack Complexity (AC)||Low|
|Privilege Required (PR)||None|
|User Interaction (UI)||None|
Cisco WLC Products Affected By This Authentication Bypass Vulnerability
CVE-2022-20695 affects the following products if they are running Cisco WLC Software Release 184.108.40.206 or Release 220.127.116.11 with macfilter radius compatibility configured as Other.
- 5520 Wireless Controller
- 3504 Wireless Controller
- 8540 Wireless Controller
- Virtual Wireless Controller
- Mobility Express
Cisco WLC Products Not Affected By This Authentication Bypass Vulnerability
Only the products listed above are known to be affected by this vulnerability. Cisco has confirmed that the following products are not affected by the CVE-2022-20695. No action is needed for these products.
- Catalyst 9800 Series Wireless Controllers
- Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
- Catalyst 9800 Wireless Controller for Cloud
- Wireless LAN Controller (WLC) AireOS products not listed in the Vulnerable Products section
- Wireless LAN Controller AireOS products are not listed in the vulnerable products.
How To Fix CVE-2022-20695- A Critical Authentication Bypass Vulnerability In Cisco WLC?
To fix the flaw, Cisco recommends upgrading WLC’s software version to 18.104.22.168. For the users who can’t upgrade their WLCs at any time soon, there are workarounds available that address this flaw. Let’s see them.
This fix is not applicable for software v22.214.171.124 and earlier.
|Cisco Wireless LAN Controller Release||First Fixed Release|
|8.9 and earlier||Not vulnerable|
|126.96.36.199 and earlier||Not vulnerable|
|188.8.131.52 and later||184.108.40.206|
Follow these steps to download the software from the Cisco Software Center.
- Click Browse all.
- Select Wireless > Wireless LAN Controller > Standalone Controllers.
- Select a certain product from the right pane of the product selector.
- Select a hardware platform from the left pane of the software page.
How To Apply The Workaround For CVE-2022-20695?
There are different ways to apply the workaround. Choose any one of them based on your Environment.
Option 01: No Macfilters in the Environment
If you don’t utilize macfilters, then you can reset the mac filter radius compatibility mode to a default value.
wlc > config macfilter radius-compat cisco
Option 02: Mac filter in the Environment
If you don’t utilize macfilters and change the radius server configuration to match possible compatibility modes, then you can change the mac filter compatibility to either Cisco or Free using one of these CLI commands.
wlc > config macfilter radius-compat cisco
wlc > config macfilter radius-compat free
Cisco says that these workarounds have been deployed and tested successfully in a test environment. Therefore, you must determine the effectiveness and applicability in your Environment.
Caution: You should be aware that any mitigation or workaround implemented may negatively impact the performance and functionality of their network depending on intrinsic customer deployment cases and limitations. You should not deploy any workaround before evaluating the applicability to their Environment.
We hope this post would help you know how to fix CVE-2022-20695- A critical Authentication Bypass Vulnerability in the Cisco WLC management interface. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instgram, and subscribe to receive updates like this.