CVE-2020-3390
📋 TL;DR
This vulnerability allows an unauthenticated attacker on the same network to send a crafted 802.1x packet during wireless client authentication, causing the Cisco Catalyst 9000 wireless controller to reload unexpectedly and result in a denial of service (DoS). It affects Cisco IOS XE Wireless Controller Software on Catalyst 9000 Family devices, impacting network availability for connected wireless clients.
💻 Affected Systems
- Cisco Catalyst 9000 Family Wireless Controllers
📦 What is this software?
Ios Xe by Cisco
Cisco IOS XE is Cisco's modern network operating system running on enterprise routers, switches, and wireless controllers deployed across corporate networks, data centers, branch offices, and service provider infrastructure worldwide. As the evolution of Cisco IOS, IOS XE provides a Linux-based modu...
Learn more about Ios Xe →⚠️ Risk & Real-World Impact
Worst Case
The device crashes and reloads, causing a complete DoS for all wireless services until it restarts, potentially disrupting critical operations.
Likely Case
An attacker triggers a device reload, leading to temporary wireless network downtime and service interruption for users.
If Mitigated
With proper patching or workarounds, the risk is eliminated, and the device operates normally without DoS.
🎯 Exploit Status
Exploitation is straightforward for an adjacent attacker but requires specific timing during wireless authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Cisco IOS XE Wireless Controller Software 17.3.1 or later
Vendor Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-ewlc-snmp-dos-wNkedg9K
Restart Required: Yes
Instructions:
1. Check current version using 'show version'. 2. Download and install the patched version from Cisco. 3. Reboot the device to apply the update.
🔧 Temporary Workarounds
Disable SNMP trap generation for wireless clients
allPrevents the vulnerable SNMP trap generation that leads to the DoS.
no snmp-server enable traps wireless
🧯 If You Can't Patch
- Segment the network to restrict access to wireless controllers, limiting adjacent attacker exposure.
- Monitor for unusual 802.1x authentication attempts and implement rate-limiting on wireless authentication traffic.
🔍 How to Verify
Check if Vulnerable:
Run 'show version' and check if the IOS XE version is prior to 17.3.1 on a Catalyst 9000 wireless controller.Check Version:
show version | include VersionVerify Fix Applied:
After patching, run 'show version' to confirm the version is 17.3.1 or later and test wireless client connectivity.📡 Detection & Monitoring
Log Indicators:
- Unexpected device reloads or crashes in system logs, especially during wireless client authentication events.
Network Indicators:
- Unusual 802.1x packet spikes or malformed authentication attempts on wireless networks.
SIEM Query:
Example: search for 'reload' or 'crash' events in Cisco IOS logs with source IPs from wireless segments.