CVE-2012-0370 in Wireless LAN Controller Software
Summary
by MITRE
Cisco Wireless LAN Controller (WLC) devices with software 4.x, 5.x, 6.0, and 7.0 before 7.0.220.0 and 7.1 before 7.1.91.0, when WebAuth is enabled, allow remote attackers to cause a denial of service (device reload) via a sequence of (1) HTTP or (2) HTTPS packets, aka Bug ID CSCtt47435.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/09/2017
The vulnerability identified as CVE-2012-0370 affects Cisco Wireless LAN Controller devices operating within specific software versions including 4.x, 5.x, 6.0, and 7.0 before 7.0.220.0 and 7.1 before 7.1.91.0. This flaw specifically manifests when the WebAuth feature is enabled on these wireless controllers, creating a potential avenue for remote attackers to disrupt service availability. The vulnerability represents a critical concern for organizations relying on Cisco WLC infrastructure for wireless network operations, as it can lead to complete device reloads and subsequent network disruption.
The technical mechanism underlying this vulnerability involves a flaw in how the affected Cisco WLC devices process HTTP or HTTPS packets when WebAuth is active. Attackers can exploit this weakness by sending a carefully crafted sequence of packets that triggers an internal processing error within the device's web authentication subsystem. This error condition causes the device to enter a state where it must restart its entire operational stack, effectively resulting in a denial of service condition that can persist until manual intervention or automatic recovery occurs. The vulnerability demonstrates a classic case of improper input validation and error handling within network infrastructure devices.
The operational impact of this vulnerability extends beyond simple service disruption to potentially compromise network availability and business continuity. When a Cisco WLC device reloads due to this vulnerability, all wireless clients connected to that controller experience immediate disconnection and must re-authenticate upon recovery. This can result in significant downtime for wireless services, particularly in enterprise environments where wireless connectivity is critical for business operations. The vulnerability affects organizations across various sectors including healthcare, finance, and telecommunications where wireless network reliability is paramount. From an attacker perspective, this vulnerability requires minimal resources to exploit and can be automated, making it particularly dangerous in environments where wireless infrastructure is not properly segmented or monitored.
Mitigation strategies for this vulnerability require immediate software updates to the affected Cisco WLC devices, specifically upgrading to versions 7.0.220.0 or later for software 7.0 releases and 7.1.91.0 or later for software 7.1 releases. Organizations should also implement network segmentation to limit exposure of WLC devices to untrusted networks and consider disabling WebAuth functionality when it is not required for specific network segments. Network monitoring should be enhanced to detect unusual packet patterns that might indicate exploitation attempts, and access controls should be strengthened to limit administrative access to these devices. This vulnerability aligns with CWE-129, which addresses improper validation of input, and relates to ATT&CK technique T1499.002 for network denial of service attacks, emphasizing the importance of proper input validation and error handling in network infrastructure devices.