Johannes Ullrich, dean of research at the SANS Institute, called this particular problem uncommon, although he acknowledged flash memory space in IoT devices like access points is limited and may fill up from time to time.
“But,” he added, “there is a bigger issue: A competent [vendor] vulnerability management program must always include verification that the patch was indeed applied as expected. There are many reasons why a patch may not be applied correctly, and this is just one way a patch may fail to apply.”
Kellman Meghu, CTO of incident response firm DeepCove Cybersecurity, said overflowing a fixed device’s memory due to a bug “would have me rather annoyed with this vendor. This is very rare in my experience, and something that was an issue way back when storage costs were a factor. I would expect my vendor to be able to clean and manage storage for fixed devices. If this device is supported, this would be an RMA [return merchandise authorization] or fix issue, and expectation [for vendor action] would be right away/proactive.”
[Related content: Cisco Webex SSO flaw]
Affected are access points running IOS XE versions 17.12.4, 17.12.5, 17.12.6, and 17.12.6a. These include Cisco Catalyst 9130AX series APs, as well as 9130AX models with a Stadium Antenna, Catalyst 91361, 91621, 9163E, 91641, 9166D1, and IW9167 series APs, and Wi-Fi 6 Outdoor APs,
There are two ways for admins to solve the problem: Download a Cisco tool called WLANPoller, which automates execution of a fix across multiple APs, or manually use the show boot command on each device to look into the boot partition and see if it has enough space for an upgrade. Greater detail on the necessary action is in the Cisco advisory.
