I recently did a vulnerability scan of a 4400 (4404) series wireless LAN controller running 220.127.116.11 and it showed SSH running on port 22 of the management interface. The problem I have is that the vulernability scanner (Nessus) showed the version to be OpenSSH 4.0 according to the SSH banner. Based on this version it has highlighed a large number of potential vulnerabilities including denial of service and privilege escalation issues. I've researched each of these vulnerabilities and they do indeed affect this version of OpenSSH and some of them are quite serious. However, I can find absolutely no reference on the web to this device (or indeed any Cisco device) being vulnerable to these OpenSSH bugs. I can find references to other SSH bugs but these are not the same ones that appear to affect OpenSSH 4.0 and the version of software on the device is not vulnerable to those other ones. I would have imagined with both the popularity of the device and of the vulnerabilitiy scanner that someone would have encountered this before. I'm starting to think now that this is a false positive on the scanner's part or else that Cisco fixes these bugs individually without upgrading the version of OpenSSH in the banner and so it is not affected - but I would have thought there would still be reference to these somewhere online. I'd appreciate any thoughts anyone would have on this.
Some of the vulnearbilities that the scanner are showing against this version of OpenSSH are as follows:
X11 trusted cookie forwarding issue -> (CVE-2007-4752) Potential denial of service by crashing ssh service-> (CVE-2006-4925) Privilege escalation via weak verification of authentication -> (CVE-2006-5794) DoS by forcing keys to be recreated -> (CVE-2007-0726) Uncover 32 bits of plain text from arbitrary block of ciphertext -> (CVE-2008-1483) Hijack X11 session due to binding TCP ports to IPv6 interface instead of IPv4 when IPv4 is in use - CVE-2008-1483 Execute arbitrary commands if a user copies a malicious crafted file via scp -CVE-2008-1483 Execution of commands using weakness in the ForceCommand directive - CVE-2008-1657
Thanks very much for the reponse.That clears up that issue. The Cisco code you give - CSCsx46691 - is that only available to view for certain Cisco membership types? I searched for it on google and on this site but can't find any reference to it. Thanks for posting the content of it!
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...