Cisco Aironet APs Vulnerability Overview
This threat report is about a vulnerability recently discovered in Cisco Aironet Access Points (APs) known as CVE-2020-3560, and includes actionable mitigation intelligence.
An attacker may utilize this vulnerability to cause a Denial of Service (DoS) state on the targeted AP. Due to its high availability impact, this vulnerability can cause varied levels of down time depending on the asset priority of the AP affected.
Cisco has released software updates that remediate this vulnerability in the affected products.
Related Reading: CDPwn: Five Cisco Vulnerabilities
Tactics, Techniques, and Procedures
This vulnerability is due to improper resource management by the affected Cisco Aironet Access Points (APs) while processing certain packets. An attacker may leverage this vulnerability by sending a sequence of crafted UDP packets to a specified port on a vulnerable AP.
There are two different security issues presented by this vulnerability which are referred to as CSCvr85614 and CSCvr85609. The attack vectors are similar to each other and both are remediated through the patch code available in recently released updates from Cisco (noted below).
Both weaknesses can be exploited by an attacker connected over the network. A vulnerable AP will be susceptible regardless of its deployment mode.
Exploitation of CSCvr85614 will cause the AP to lose connection to the wireless LAN controller. Depending on the APs configuration, this could lead to loss of the client network or radio resets.
Exploitation of CSCvr85609 will cause the AP to unexpectedly reload, triggering a DoS state.
Related Reading: Cisco Webex Meetings Desktop App Vulnerability
Affected CISCO Products
- Cisco Aironet 1540 Series APs
- Cisco Aironet 1560 Series APs
- Cisco Aironet 1800 Series APs
- Cisco Aironet 2800 Series APs
- Cisco Aironet 3800 Series APs
- Cisco Aironet 4800 APs
- Cisco Business 100 Series APs and Mesh Extenders
- Cisco Business 200 Series APs
- Cisco Catalyst 9100 APs
- Cisco Catalyst IW 6300 APs
- Cisco ESW6300 Series APs
- Cisco Integrated Access Point on 1100 Integrated Services Routers
How the Cisco Aironet APs Vulnerability Affects You
Exploitation will lead to loss of connection to network resources and could lead to exceptional company production downtime depending on the AP targeted and length of attack.
What You Can Do About CVE-2020-3560
If your company uses one of the affected Cisco Aironet products, we recommend verifying that your devices are running at the latest patch level to remediate this vulnerability in your environment. You can stay up-to-date with security issues that directly involve Cisco products on Cisco’s Security Advisories page.
Sources and Other Helpful Information
IBM X-Force Exchange
Cisco Security Advisory
MITRE ATT&CK Techniques
8 Steps to Take if You’ve Been Breached
With the prevalence, severity and sophistication of cybersecurity attacks growing by the day, businesses of all types and sizes are scrambling to protect themselves. This best practices guide takes you through the 8 essential steps to managing a data breach. Download now.
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.