Cisco is currently addressing a serious vulnerability in over 200 models of wireless access points (APs) that utilize IOS XE software. This issue stems from a flawed library update which causes the flash memory log files in affected APs to grow by approximately 5MB per day. If not resolved promptly, this overflow could obstruct future software updates, leaving the devices vulnerable or potentially bricked.
According to Cisco’s advisory, the rapid consumption of memory could lead administrators to encounter insufficient space for software downloads. Rob Enderle, an analyst from the Enderle Group, emphasized the gravity of this situation, noting that it takes advantage of the physical limitations of flash memory in networking hardware, which can be hard to access or recover once it fails.
The update introduces a Catch-22 scenario: to fix the bug, administrators must upgrade the software, but the bug restricts enough memory to download that fix. Delays could force interventions that require physical access to the APs, significantly complicating recovery efforts.
Johannes Ullrich from the SANS Institute described the problem as uncommon, highlighting a greater concern about how effectively vendors manage vulnerabilities and the importance of ensuring patches are applied correctly. Similarly, Kellman Meghu from DeepCove Cybersecurity criticized the situation, expecting vendors to maintain memory efficiency for fixed devices and to act swiftly in rectifying such issues.
The affected APs include those running versions 17.12.4, 17.12.5, 17.12.6, and 17.12.6a, across a range of models including the Catalyst 9130AX series and Wi-Fi 6 Outdoor APs. To manage this issue, administrators can either use a Cisco tool named WLANPoller for automating fixes or manually check the devices for sufficient memory using the show boot command.
Cisco advises performing a mandatory precheck of the AP’s status before scheduled maintenance due to the daily increase in log size. If memory issues are detected, fixing the APs could require considerable time, especially if the devices have failed and need physical repairs.
Enderle suggests that monitoring hardware health metrics is crucial and should be a priority for Chief Security Officers (CSOs). He highlighted that this vulnerability, while not a data breach, poses a critical availability risk that could disrupt business operations if many devices fail to update or enter a boot loop. To prevent such occurrences, he recommends that all updates are tested in a lab environment prior to being rolled out to production fleets.
For more information, refer to Cisco’s advisory here.
