CVE-2019-1830

EUVD-2019-10387

18.04.2019, 02:29

A vulnerability in Locally Significant Certificate (LSC) management for the Cisco Wireless LAN Controller (WLC) could allow an authenticated, remote attacker to cause the device to unexpectedly restart, which causes a denial of service (DoS) condition. The attacker would need to have valid administrator credentials. The vulnerability is due to incorrect input validation of the HTTP URL used to establish a connection to the LSC Certificate Authority (CA). An attacker could exploit this vulnerability by authenticating to the targeted device and configuring a LSC certificate. An exploit could allow the attacker to cause a DoS condition due to an unexpected restart of the device.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.9 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
cisco	CNA	4.9 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 37%

Affected Products (NVD)

Vendor	Product	Version
cisco	wireless_lan_controller_software	𝑥 < 8.3.150.0
cisco	wireless_lan_controller_software	8.5.131.0 ≤ 𝑥 < 8.5.140.0
cisco	wireless_lan_controller_software	8.6.101.0 ≤ 𝑥 < 8.8.100.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

http://www.securityfocus.com/bid/108028

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190417-wlc-cert-dos

http://www.securityfocus.com/bid/108028

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190417-wlc-cert-dos