The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[NEWS] Cisco Airespace Wireless LAN Controllers Allow Unencrypted Network Access


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 6 Nov 2005 14:24:33 +0200
Subject: [NEWS] Cisco Airespace Wireless LAN Controllers Allow Unencrypted Network Access
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20051106141305.9F22F5806@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -




  Cisco Airespace Wireless LAN Controllers Allow Unencrypted Network Access
------------------------------------------------------------------------


SUMMARY

Cisco Access Points operating in Lightweight Access Point Protocol (LWAPP) 
mode may allow unauthenticated end hosts to send unencrypted traffic to a 
secure network by sending frames from the Media Access Control (MAC) 
address of an already authenticated end host.

Only the access points that are operating in LWAPP (i.e., controlled by a 
separate Wireless LAN Controller) mode are affected. Access points that 
are running in autonomous mode are not affected.

Cisco has made free software available to address this vulnerability for 
affected customers.

DETAILS

Affected Products:
Vulnerable Products:
Cisco 1200, 1131, and 1240 series access points controlled by Cisco 2000 
and 4400 series Airespace Wireless LAN (WLAN) Controllers that are running 
software version 3.1.59.24 are affected by this vulnerability.

This issue is only applicable to deployments where there is a separate 
WLAN controller. Any system without a separate WLAN controller is not 
vulnerable.

Products Confirmed Not Vulnerable:
 * Access points other than Cisco 1200, 1131 and 1240 series are not 
affected.
 * Access points that are deployed without a separate WLAN controller are 
not affected.
 * Access points that are controlled by WLAN controllers other than Cisco 
2000 and 4400 series are not affected.
 * Access points that are controlled by WLAN controllers which are running 
a software version other than 3.1.59.24 are not affected.
 * Access points that are running in autonomous mode are not affected.
 * Access points that are running VxWorks are not affected.

No other Cisco products are currently known to be affected by these 
vulnerabilities.

Details:
LWAPP is an open protocol for access point management. In this mode of 
operation, a WLAN controller system is used to create and enforce policies 
across multiple different lightweight access points. All functions 
essential to WLAN operations are centrally controlled by WLAN controllers. 
In this mode of operation, Cisco access points run a simplified version of 
Cisco IOS . It is not possible to enter into configuration mode and 
configure access points individually in this mode. More information on 
LWAPP mode of operation can be found at the following URL:  
<http://www.cisco.com/en/US/netsol/ns340/ns394/ns348/ns337/networking_solutions_white_paper0900aecd802c18ee.shtml>; Understanding the Lightweight Access Point Protocol (LWAPP)

A Cisco access point running in LWAPP mode can be checked by issuing the 
following command from the console.
configure terminal

Access points running in LWAPP mode will not allow the user to enter into 
configuration mode, but will return an error message instead as shown in 
the following output.

AP000e.8466.5786>enable
  AP000e.8466.5786#configure terminal
                    ^
  % Invalid input detected at '^' marker.
      
  AP000e.8466.5786#

The alternative to LWAPP mode is the autonomous mode of operation. In this 
mode, the access points are configured individually and run either VxWorks 
or Cisco IOS operating systems.

Cisco 1200, 1131 and 1240 series access points that are controlled by 2000 
or 4400 WLAN controllers in LWAPP mode of operation may accept unencrypted 
traffic from end hosts even when configured to encrypt traffic. Such 
traffic needs to be sourced from the MAC address of a legitimate, already 
authenticated end host. By exploiting this vulnerability, an attacker may 
send malicious traffic into a secure network. Legitimate end hosts will 
still communicate with the access point in an encrypted manner.

Only the access points that are running in LWAPP mode are affected by this 
vulnerability. Access points that are running in autonomous mode are not 
affected.

In LWAPP mode, access points download their software from the WLAN 
controller. Therefore, a software upgrade on the WLAN controller is 
required to address this vulnerability.

This issue is documented by the Cisco bug ID CSCsc11134 (registered 
customers only).

Impact:
Successful exploitation of the vulnerability may allow an attacker to send 
malicious traffic to a secure wireless network via an access point that is 
controlled by an affected WLAN controller.

Software Versions and Fixes:
When considering software upgrades, please also consult  
<http://www.cisco.com/en/US/products/products_security_advisories_listing.html>; http://www.cisco.com/en/US/products/products_security_advisories_listing.html and any subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the devices 
to be upgraded contain sufficient memory and that current hardware and 
software configurations will continue to be supported properly by the new 
release. If the information is not clear, contact the Cisco Technical 
Assistance Center ("TAC") for assistance.

In LWAPP mode of operation, it is not possible to change the software on 
the access points individually. Access points download their software from 
the WLAN controller. Therefore, a software upgrade on the WLAN controller 
is required. This issue is fixed in version 3.1.105.0 of WLAN controller 
software.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:psirt@cisco.com.> Cisco 
Systems Product Security Incident Response Team.
The original article can be found at:  
<http://www.cisco.com/warp/public/707/cisco-sa-20051102-lwapp.shtml>; 
http://www.cisco.com/warp/public/707/cisco-sa-20051102-lwapp.shtml




This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: [email protected] In order to subscribe to the mailing list, simply forward this email to: [email protected]

DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру