From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 6 Nov 2005 14:24:33 +0200
Subject: [NEWS] Cisco Airespace Wireless LAN Controllers Allow Unencrypted Network Access
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20051106141305.9F22F5806@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Cisco Airespace Wireless LAN Controllers Allow Unencrypted Network Access
------------------------------------------------------------------------
SUMMARY
Cisco Access Points operating in Lightweight Access Point Protocol (LWAPP)
mode may allow unauthenticated end hosts to send unencrypted traffic to a
secure network by sending frames from the Media Access Control (MAC)
address of an already authenticated end host.
Only the access points that are operating in LWAPP (i.e., controlled by a
separate Wireless LAN Controller) mode are affected. Access points that
are running in autonomous mode are not affected.
Cisco has made free software available to address this vulnerability for
affected customers.
DETAILS
Affected Products:
Vulnerable Products:
Cisco 1200, 1131, and 1240 series access points controlled by Cisco 2000
and 4400 series Airespace Wireless LAN (WLAN) Controllers that are running
software version 3.1.59.24 are affected by this vulnerability.
This issue is only applicable to deployments where there is a separate
WLAN controller. Any system without a separate WLAN controller is not
vulnerable.
Products Confirmed Not Vulnerable:
* Access points other than Cisco 1200, 1131 and 1240 series are not
affected.
* Access points that are deployed without a separate WLAN controller are
not affected.
* Access points that are controlled by WLAN controllers other than Cisco
2000 and 4400 series are not affected.
* Access points that are controlled by WLAN controllers which are running
a software version other than 3.1.59.24 are not affected.
* Access points that are running in autonomous mode are not affected.
* Access points that are running VxWorks are not affected.
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details:
LWAPP is an open protocol for access point management. In this mode of
operation, a WLAN controller system is used to create and enforce policies
across multiple different lightweight access points. All functions
essential to WLAN operations are centrally controlled by WLAN controllers.
In this mode of operation, Cisco access points run a simplified version of
Cisco IOS . It is not possible to enter into configuration mode and
configure access points individually in this mode. More information on
LWAPP mode of operation can be found at the following URL:
<http://www.cisco.com/en/US/netsol/ns340/ns394/ns348/ns337/networking_solutions_white_paper0900aecd802c18ee.shtml>; Understanding the Lightweight Access Point Protocol (LWAPP)
A Cisco access point running in LWAPP mode can be checked by issuing the
following command from the console.
configure terminal
Access points running in LWAPP mode will not allow the user to enter into
configuration mode, but will return an error message instead as shown in
the following output.
AP000e.8466.5786>enable
AP000e.8466.5786#configure terminal
^
% Invalid input detected at '^' marker.
AP000e.8466.5786#
The alternative to LWAPP mode is the autonomous mode of operation. In this
mode, the access points are configured individually and run either VxWorks
or Cisco IOS operating systems.
Cisco 1200, 1131 and 1240 series access points that are controlled by 2000
or 4400 WLAN controllers in LWAPP mode of operation may accept unencrypted
traffic from end hosts even when configured to encrypt traffic. Such
traffic needs to be sourced from the MAC address of a legitimate, already
authenticated end host. By exploiting this vulnerability, an attacker may
send malicious traffic into a secure network. Legitimate end hosts will
still communicate with the access point in an encrypted manner.
Only the access points that are running in LWAPP mode are affected by this
vulnerability. Access points that are running in autonomous mode are not
affected.
In LWAPP mode, access points download their software from the WLAN
controller. Therefore, a software upgrade on the WLAN controller is
required to address this vulnerability.
This issue is documented by the Cisco bug ID CSCsc11134 (registered
customers only).
Impact:
Successful exploitation of the vulnerability may allow an attacker to send
malicious traffic to a secure wireless network via an access point that is
controlled by an affected WLAN controller.
Software Versions and Fixes:
When considering software upgrades, please also consult
<http://www.cisco.com/en/US/products/products_security_advisories_listing.html>; http://www.cisco.com/en/US/products/products_security_advisories_listing.html and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices
to be upgraded contain sufficient memory and that current hardware and
software configurations will continue to be supported properly by the new
release. If the information is not clear, contact the Cisco Technical
Assistance Center ("TAC") for assistance.
In LWAPP mode of operation, it is not possible to change the software on
the access points individually. Access points download their software from
the WLAN controller. Therefore, a software upgrade on the WLAN controller
is required. This issue is fixed in version 3.1.105.0 of WLAN controller
software.
ADDITIONAL INFORMATION
The information has been provided by <mailto:psirt@cisco.com.> Cisco
Systems Product Security Incident Response Team.
The original article can be found at:
<http://www.cisco.com/warp/public/707/cisco-sa-20051102-lwapp.shtml>;
http://www.cisco.com/warp/public/707/cisco-sa-20051102-lwapp.shtml
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
