• Home
  • |
  • Blog
  • |
  • How To Fix CVE-2022-20695- A Critical Authentication Bypass Vulnerability In Cisco WLC
How to Fix CVE-2022-20695- A Critical Authentication Bypass Vulnerability in Cisco WLC Management Interface

Recently, CISCO released patches to a critical vulnerability found in Wi-Fi LAN Controllers. This vulnerability could allow attackers to bypass authentication. Tracked as CVE-2022-20695, the vulnerability has a CVSS score of 10 out of 10 and allows an attacker to get control of an affected system. Considering its severity and impact, it’s essential to fix the vulnerability as soon as possible. This article will show you how to fix CVE-2022-20695, a critical authentication bypass vulnerability in Cisco WLC.

About Cisco Wireless LAN Controller

Cisco Wireless LAN Controller is a device that connects wireless access points to a wired network. It centrally manages various wireless settings and policies, making it ideal for enterprise-level or large-scale deployments. Cisco WLCs also offer advanced features such as RF management, spectrum analysis, and load balancing. Cisco offers a wide range of WLC models to cater to different needs.

Cisco WLCs are widely deployed in enterprises and campuses worldwide. They offer many benefits over traditional distributed architectures, such as reduced complexity and lower costs. In addition, Cisco WLCs provides a unified management platform for Cisco access points, making it easy to configure and manage large-scale deployments.

The Cisco Wireless LAN Controllerr (WLC) is a key component of the Cisco Unified Wireless Network. WLCs manage and control wireless access points (APs), enforce security policies, forward traffic, and perform other functions in the wireless network. Cisco WLCs are available in a variety of form factors and configurations to meet the needs of small, medium, and large organizations.

Some of the key features of Cisco WLCs include:

  • Scalability: Cisco WLCs can support up to 40,000 clients and thousands of APs.
  • High availability: Cisco WLCs can be deployed in redundant pairs for increased uptime.
  • Flexible deployment options: Cisco WLCs can be deployed on-premises, in the cloud, or as a virtual appliance.
  • Cisco DNA support: Cisco WLCs work with Cisco DNA to simplify network management and enable advanced features such as location services and security analytics.

Cisco WLCs are an essential part of Cisco Unified Wireless Network solutions, which provide end-to-end wireless networking from the edge of the network to the data center. Cisco Unified Wireless Network solutions can be deployed in a variety of ways to meet the needs of small, medium, and large organizations.

Summary Of CVE-2022-20695

A vulnerability, CVE-2022-20695, is detected in the Cisco WLC authentication functionality that allows an unauthenticated, remote attacker to bypass authentication and log in to devices via a management interface.

Cisco advisory says that this vulnerability exists due to improper implementation of password validation algorithms. Attackers could exploit this vulnerability by logging in to a compromised device with crafted credentials. 

A successful attack could allow intruders to bypass authentication and log in to the system as an administrator. It allows an attacker to get the same privilege level as an administrator. However, it depends on crafted credentials.

Associated CVE IDCVE-2022-20695
DescriptionA Critical Authentication Bypass Vulnerability in Cisco WLC Management Interface.
Associated ZDI ID
CVSS Score10 Critical
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Impact Score
Exploitability Score
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)None
User Interaction (UI)None
ScopeChanged
Confidentiality (C)High
Integrity (I)High
availability (a)High

Cisco WLC Products Affected By This Authentication Bypass Vulnerability

CVE-2022-20695 affects the following products if they are running Cisco WLC Software Release 8.10.151.0 or Release 8.10.162.0 with macfilter radius compatibility configured as Other. 

  • 5520 Wireless Controller
  • 3504 Wireless Controller
  • 8540 Wireless Controller
  • Virtual Wireless Controller
  • Mobility Express

Cisco WLC Products Not Affected By This Authentication Bypass Vulnerability

Only the products listed above are known to be affected by this vulnerability. Cisco has confirmed that the following products are not affected by the CVE-2022-20695. No action is needed for these products.

  • Catalyst 9800 Series Wireless Controllers
  • Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
  • Catalyst 9800 Wireless Controller for Cloud
  • Wireless LAN Controller (WLC) AireOS products not listed in the Vulnerable Products section
  • Wireless LAN Controller AireOS products are not listed in the vulnerable products.

How To Fix CVE-2022-20695- A Critical Authentication Bypass Vulnerability In Cisco WLC?

To fix the flaw, Cisco recommends upgrading WLC’s software version to 8.10.171.0. For the users who can’t upgrade their WLCs at any time soon, there are workarounds available that address this flaw. Let’s see them.
 This fix is not applicable for software v8.10.142.0 and earlier.

Cisco Wireless LAN Controller ReleaseFirst Fixed Release
8.9 and earlierNot vulnerable
8.10.142.0 and earlierNot vulnerable
8.10.151.0 and later8.10.171.0

Follow these steps to download the software from the Cisco Software Center.

  • Click Browse all.
  • Select Wireless > Wireless LAN Controller > Standalone Controllers.
  • Select a certain product from the right pane of the product selector.
  • Select a hardware platform from the left pane of the software page. 

How To Apply The Workaround For CVE-2022-20695?

There are different ways to apply the workaround. Choose any one of them based on your Environment.

Option 01: No Macfilters in the Environment

If you don’t utilize macfilters, then you can reset the mac filter radius compatibility mode to a default value. 
wlc > config macfilter radius-compat cisco

Option 02: Mac filter in the Environment

If you don’t utilize macfilters and change the radius server configuration to match possible compatibility modes, then you can change the mac filter compatibility to either Cisco or Free using one of these CLI commands.
wlc > config macfilter radius-compat cisco
wlc > config macfilter radius-compat free

Cisco says that these workarounds have been deployed and tested successfully in a test environment. Therefore, you must determine the effectiveness and applicability in your Environment. 

Caution: You should be aware that any mitigation or workaround implemented may negatively impact the performance and functionality of their network depending on intrinsic customer deployment cases and limitations. You should not deploy any workaround before evaluating the applicability to their Environment. 

We hope this post will help you know how to fix CVE-2022-20695- A critical Authentication Bypass Vulnerability in the Cisco WLC management interface. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.