Cisco has released software fixes to solve the lack of security maximum speed in the iOS XE wireless controller, which can allow the unauthorized, remote attackers to download arbitrary files into a sensitive system.
Vulnerability tracked as Cve-2015-2018810.0 on CVSS assessment was estimated.
“This vulnerability is related to the presence of a rigid coded token JSON (JWT) in the affected system,” the company – Note in consultation on Wednesday.
“The attacker can use this vulnerability by sending HTTPS to the Image Loading Interface. Successful operation can allow the attacker to download files, make the way and execute arbitrary commands with root privileges.”
Given this, in order for the operation to be successful, the device’s images AP OUT-band must be included on the device. This is disabled by default.
The following products are affected if they have a vulnerable release, and included the Image Download feature out-including-
- Catalyst of wireless controllers 9800-CL for cloud
- Catalyst 9800 built -in wireless controller for Catalyst 9300, 9400 and 9500 switches
- Catalyst 9800 wireless controllers
- Built -in wireless controller on Catalyst APS
Although the update to the latest version is the best way to action as temporary softening users can disable this feature until the update can be executed.
“With this feature disabled, the loading of AP -Malonka will use the CAPWAP method for the AP upgrade feature, and it does not affect the AP client’s condition,” Cisco added.
Special networking equipment attributed the XB Group Advanced Security Inities Group Cisco (ASIG) for detecting misconception during internal security testing. There is no evidence that the vulnerability was made angrily in the wild.
