Cisco IOS XE WLC Out-of-Band Access Point Image Download Vulnerability Allowing Unauthenticated Arbitrary File Upload

A vulnerability exists in Cisco IOS XE Software for Wireless LAN Controllers (WLCs) that could enable an unauthenticated, remote attacker to upload arbitrary files to the affected system. This issue arises from a hard-coded JSON Web Token (JWT) that can be exploited by sending crafted HTTPS requests to the Access Point (AP) file upload interface. Successful exploitation could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges. The vulnerability affects Cisco IOS XE Wireless Controller Software versions through 17.12.03.

Impact

Exploitation of this vulnerability allows for unauthenticated arbitrary file uploads, which can be leveraged to execute arbitrary commands with root privileges on the affected system.

Reproduction

The vulnerability can be reproduced by sending a crafted HTTPS request to the '/aparchive/upload' or '/ap_spec_rec/upload/' endpoints on a Cisco IOS XE WLC device with the Out-of-Band AP Image Download feature enabled. The request must include a JWT that is signed with a hard-coded secret, allowing the upload of files to specified directories. After uploading a file, the OpenResty 'inotifywait' utility can be used to monitor file events and trigger a service reload, executing the uploaded file as a payload.

Remediation

Cisco has released software updates that address this vulnerability. For customers unable to upgrade, it is recommended to disable the Out-of-Band AP Image Download feature and apply infrastructure access control lists (iACLs) to limit traffic to the AP file upload interface.