AirMagnet researchers uncover a way for attackers to take advantage of Cisco Systems' Over-the-Air-Provisioning feature. Cisco responds with a security advisory giving some mitigations for the OTAP vulnerability.
Researchers at AirMagnet
have uncovered a serious flaw in a provisioning
system used by Cisco Systems
WLANs that could enable attackers to gain access to
According to AirMagnet's Intrusion Research Team, the vulnerability,
announced Aug. 25, lies in Cisco's OTAP (Over-the-Air-Provisioning) feature,
which helps users deploy WAPs (wireless access points). OTAP allows access
points to discover the management IP address of the WLAN controller.
However, the feature can also expose network information. The access points
can be incorrectly assigned to an outside Cisco controller by an attacker-an
exploit AirMagnet terms a SkyJack.
"As part of the Over-the-Air-Provisioning feature, Cisco APs regularly
broadcast a variety of configuration information including the IP and MAC
[media access control] address of the controller where the AP is currently
connected," said Wade Williamson, AirMagnet's director of product
management. "Unfortunately, anyone else listening to the air can do the
same thing, as this information is in the clear ... there is seemingly no way to
make the Cisco APs not broadcast this information even if the OTAP feature is
Hackers can make use of this OTAP behavior and inject fake AP traffic into
the air with a fake address that points the new AP back to the hacker's server
or controller, Williamson said. An attacker can essentially take control of the
AP and also create a breach in the wired network, he added.
In response, Cisco
issued an advisory Aug. 25
characterizing the vulnerability as relatively
mild. According to Cisco, the issue is caused by insufficient protections
during WAP association sequences, and can be exploited to cause a denial of
Cisco advises administrators to preconfigure access points with
preferred controller lists to deal with the issue. In addition, admins can also
use the Infrastructure
feature of Cisco Wireless LAN
Controllers to identity incorrectly associated access points. More advice is
available in the advisory.
"To exploit this vulnerability, an attacker must be able to deploy
a Cisco Wireless LAN Controller system
within radio proximity of the location where access points are being installed,
increasing the complexity of an attack," the advisory stated. "The
attacker must also have the manufacturing-installed certificate present on the
malicious Wireless LAN Controller."
Williamson noted that although the window of the exposure is relatively
narrow, the impact of the exploit if it succeeds is quite large.
"To have an outsider turn one of your own APs rogue and be connected
through a wired network is a severe breach," he said. "To make
matters more complicated, it's not out of the realm of possibility that a
hacker could create his own luck-remember that OTAP tells him exactly where to
find the wireless LAN controllers. If he can
take down the controller or network with a denial-of-service attack using this
information, he could potentially SkyJack an AP when the network comes back up."