CVE-2018-0247

Name of the Vulnerable Software and Affected Versions: Cisco Aironet Access Points running Cisco IOS Software versions prior to 8.5.110.0 Cisco Wireless LAN Controller (WLC) versions prior to 8.5.110.0

Description: A vulnerability in Web Authentication (WebAuth) clients could allow an unauthenticated, adjacent attacker to bypass authentication and pass traffic due to incorrect implementation of authentication for WebAuth clients in a specific configuration. This configuration includes the Access Point (AP) in FlexConnect Mode with NAT, the WLAN configured for central switching, the AP configured with a Split Tunnel access control list (ACL) for access to local network resources, and the client using WebAuth. An attacker could exploit this vulnerability by sending traffic to local network resources without having gone through authentication, potentially allowing the attacker to bypass authentication and pass traffic.

Recommendations: For Cisco Aironet Access Points running Cisco IOS Software versions prior to 8.5.110.0, update to version 8.5.110.0 or later. For Cisco Wireless LAN Controller (WLC) versions prior to 8.5.110.0, update to version 8.5.110.0 or later. As a temporary workaround, consider disabling WebAuth for clients until a patch is available. Restrict access to local network resources by configuring the AP without a Split Tunnel access control list (ACL) until the issue is resolved.