Cisco IOS XE Software for Catalyst 9800 Series and Cisco AireOS Software for Cisco WLC Flexible NetFlow Version 9 Denial of Service Vulnerability

Vulnerability

The vulnerability resides in the Flexible NetFlow Version 9 packet processor of Cisco IOS XE Software for Catalyst 9800 Series Wireless Controllers and Cisco AireOS Software for Cisco Wireless LAN Controllers (WLC). It stems from insufficient validation of certain parameters in a Flexible NetFlow Version 9 record. Affected devices running these software platforms are vulnerable when Flexible NetFlow Version 9 is enabled.

Exploitation

An unauthenticated, remote attacker can exploit this vulnerability by spoofing the IP address of an existing Access Point on the network and sending a crafted Control and Provisioning of Wireless Access Points (CAPWAP) packet containing a malicious Flexible NetFlow Version 9 record to an affected device. No prior authentication or special privileges are required.

Impact

Successful exploitation causes a crash of the affected process, leading to a reload of the device. This results in a denial of service (DoS) condition, rendering the device unavailable until it completes the reboot cycle.

Mitigation

Cisco has released free software updates to address this vulnerability, as detailed in the advisory [1]. Customers should upgrade to fixed versions as indicated in the advisory. No workarounds are available.