|
|
|
Cisco WLAN Vulnerability Uncovered by Researchers
By: Brian Prince
2009-08-25
Article Rating:  / 2
There are 0 user comments on this Network Security & Hardware story.
AirMagnet researchers uncover a way for attackers to take advantage of Cisco Systems' Over-the-Air-Provisioning feature. Cisco responds with a security advisory giving some mitigations for the OTAP vulnerability.Researchers at AirMagnet have uncovered a serious flaw in a provisioning
system used by Cisco Systems WLANs that could enable attackers to gain access to
WLAN-attached systems.
According to AirMagnet's Intrusion Research Team, the vulnerability,
announced Aug. 25, lies in Cisco's OTAP (Over-the-Air-Provisioning) feature,
which helps users deploy WAPs (wireless access points). OTAP allows access
points to discover the management IP address of the WLAN controller.
However, the feature can also expose network information. The access points
can be incorrectly assigned to an outside Cisco controller by an attackeran
exploit AirMagnet terms a SkyJack.
"As part of the Over-the-Air-Provisioning feature, Cisco APs regularly
broadcast a variety of configuration information including the IP and MAC
[media access control] address of the controller where the AP is currently
connected," said Wade Williamson, AirMagnet's director of product
management. "Unfortunately, anyone else listening to the air can do the
same thing, as this information is in the clear there is seemingly no way to
make the Cisco APs not broadcast this information even if the OTAP feature is
turned off."
Hackers can make use of this OTAP behavior and inject fake AP traffic into
the air with a fake address that points the new AP back to the hacker's server
or controller, Williamson said. An attacker can essentially take control of the
AP and also create a breach in the wired network, he added.
In response, Cisco
issued an advisory Aug. 25 characterizing the vulnerability as relatively
mild. According to Cisco, the issue is caused by insufficient protections
during WAP association sequences, and can be exploited to cause a denial of
service.
Cisco advises administrators to preconfigure access points with
preferred controller lists to deal with the issue. In addition, admins can also
use the Infrastructure
Rogue Discovery feature of Cisco Wireless LAN
Controllers to identity incorrectly associated access points. More advice is
available in the advisory.
"To exploit this vulnerability, an attacker must be able to deploy
a Cisco Wireless LAN Controller system
within radio proximity of the location where access points are being installed,
increasing the complexity of an attack," the advisory stated. "The
attacker must also have the manufacturing-installed certificate present on the
malicious Wireless LAN Controller."
Williamson noted that although the window of the exposure is relatively
narrow, the impact of the exploit if it succeeds is quite large.
"To have an outsider turn one of your own APs rogue and be connected
through a wired network is a severe breach," he said. "To make
matters more complicated, it's not out of the realm of possibility that a
hacker could create his own luckremember that OTAP tells him exactly where to
find the wireless LAN controllers. If he can
take down the controller or network with a denial-of-service attack using this
information, he could potentially SkyJack an AP when the network comes back up."
|
|
�������x}ks6*�Q3{LQGJɖlkcY^K3I*�EB�c䒔�?q
/=(ɏ93m �n4�w�}Aȥ�=!]ǘ[�cSݣ&}$5C 4i=�
ɑ�ԫ
9S]M�HwW3f�ө�P/�a���᳑,�Q���:':@�PL9�uM}ٜi�7'x2 X��m 8��kvZ'�j�,Z P8"�X.�{D~,�
Du�XqL��ǎ�H;�"#'�HiĴ��6#R**F�8��w�/kd|�#k|�|�=Vy?a/
w-鈌,G�Z�E�X'/�[v�b�1BE�8 wG�A%˙8I@ؓ�Iuh�m5�b'ӨRcbx�#�9�Q�^]ݱ��&R,RE͌iAw4Ԭ�kS��cG
7�GCL�H��<~0[��QM9$�7��\jRNxfO,ӇqtRB'lǦ,j`U[۾�x�isqDn��r�d�K�1KU6�)�c �Tw<-0�;��zt\a_dY33�ML.o@֭cU)�Zp\*0my-Ӟ?9n^wf?//��EU�nsq#��,;�ග�E�9{g�rԾ ���;A:�W��YJL~#/@Dr�T*,ID>�&-ԆNVP?� uNH5}(�D~Z�KE��KXOR�Ә])��1�N,R8Db9O�-Ҿ�oo:6�O/Nn:3$oIJ5�jUU�*H�j�zb�#=ޛ:W۳%mջ퓳
i?uN}$#t6�+?f�'_V[-k_nG}�_AǙE�[Cy�Cm0Mߑj~Fb;�|ni�?\vNIN,�-A��247QZh,r$db&F~DX
V�� Q3o�F5
x��%'i�"���:s�vf�P���y۬)���RB���ܼN��$9�Vϡ��ȟ"W�i�8�@r1XSl� �\MFB@O2Xʅ�U��>I,E[!f�L˅B�""x^3��qE�K�H�@!}F!8�N��#8U%Ke}7�p@WMhʋM�Psi\OM�@s�Շt��u4A�>�;����GzN uno7Ab#
�3z�*z(4m��9�5@%&CMߟ��=�u#09�w�ɽ 5�yP�ݻ#iy1�����բ�!Tfg,Z�u= }
�w�,�ߣ9�#kL�T<�ģ\>Ԇ!~~9.Wb�&�A/�tKt=JI �� D�EM�i�@(�P!$�5N`��r���<�
�łP~>�zR.%r��P.o{xBLn�aDpI.3_hy9epGҶL/j�@>�z[.z8
9�r!�M5kb�$�ӠCf�O
6<2ai�F6.bZP":Y;wl�d��A��!~?v(�3جSq�=�zE>uI�N--πbr
�.�O�^hpܩHhQ+ma�ͨP8L>ka@/��ű`�a�KE{r�:pJ��i暚;�\.�gaOjJKWs� U�T�#!űLb0qqؼUoXySc'�vB
Dw�U�Jm�̜��ڥ��3$!UԶfbPI�C(Xk:�:�><}*O|Nx8�CX�}�~"}����lA���$6��\,0�|.U*Ut`na*VѸ(٩%�7]�.��Dtl?`��T{hBS��ݏ�P1gxyd��.�V�j�o3:Ԋ%Z�gU`�sCϏyW�E�"ITA��_⪯=
q
̻SA~�M4/}.��-wA�!v��^9Z{b6tPzL�LZ<5}�!�:7G|!ª_,ŨOMqё,`¸ZAU�[�M�Ν�Ο�#���Ϣ>t@�qDG�R��`Q:4Ӣ��7wEMzRQ#2�Fi@�q2|ܨ_.�S�?v=�_�aY[�ȟR�֊
~m;:/�j/.8F��2@) #�q�M8QURm1ʯAG���۫E�k欭�+RS�J,�86"MQ#;>]VҐ"4<
>~'é̍<9CY;��WVb�->
$Dq(58_c���Jn'��IlLaGhbؗy;@<芪�C}A0�REpg=HY:Vߺ}�|ƴ.xr
5rAp'2A ,[;A�%hha29FA@qu)*��3#�!kX;4v�f*, B��[B]��vڲ���eyf+�9n8GuHoR>я>���\'-��=l#جZs�mָ
BR��(Rq�
{259p\Semi̭4O7OE)�Zx�h UL*�<�B�;Bc`"M]ۛ2`n>g���N�UXM�la�TKj�p9ւ�NPS*zW8KX�,�ѝxAch'�cܨho�b2_�},%ɥj6�j� 1Co_���굊*9CL4�
B 7l�v�~X+ᘃ{Lo9���rP9,�p�O��d3��쌸8Dا�y��P�hl�K[ uټZ8Xn'Z�I�mY&Uqo4Lc�?� �k�?2TiɊZ;T$XԚ�kEI�O���s �Q��-ˤۧok�}3݀����,C���`t>�X86�a
c�P
��+S��9o~.RH#+#I ���_�q�� nPDb
pgGssbh^n{q`�z
��o!(0H�H_dPi;D�7:uvs&HG�ޏ.cNkpqD*;=]
fs��p�{f^3��+1hw/�]aVv�Ը6`>*uZ�1/7W-mp��-�Z U>4 �2�`i4~LC}:JfW/Jfչ:nx�60}6���.o�d~؞�hX7��Nys�_>]nucrٹjK^�kQ\cvy9:b<*���ݼ o=o6<M"dF�k�ڃa+��H]3 BXz7
'�t�^�t&�֒}Um�!qjPh�M١�{+*ٿ+[���5�̀o�$}`��s��P8������{B�*�/ki9�h9[��
�`E/)�F(+b�K)"$DY |�iiɉ�9/`INa�1:�):_ۡ;[ᷔo%�?ů1[7�|A�dW(k�hL:bkZ=Dz�d�Lp
l_vecr�zv�4-K_�����"TS�(LMàvD)gTx�QSeo�_P:Ɩp�8@!՝Ro(�Su?Is6�vkY���͘xAR2%I�"ϔ Uu$IJSf�k�*C@$ğ_�Iv(+HdAͫ�J��Ӛ]eyWjt;HC{Ͷˤ�F�ė4 ��e��R�#A[�dqXt7>�ɫI)�jwaU!1}��^{B�3`LSI��CZCE^9̗{h*êĎ{3��= �[[w=v«x�%Nd�Q�:�ZZ1�ߠn_�ZShta|�b|;�3F�g5L{hF/D&ꝦO x�V=;0Oh� �.�0o�}-{xoC�V'+$c:�I"�I^QԼګEdE)IW}ۋ7R^q�+���&iwA�oҁ[&-3�m#{zi�93}K�NwK�E<�'��wUv@r@w~YnYU�9���S<]M�-/^Ss>\E�ju@O�Kt�G]_��Q{O��{[!0�N
Ģwi�63�cSOR1\j[VSxxg!ld9��a}�43GZ˱3�ƙ�a�drOB%[euw+[c���cc;ȯ�F%%o&Rϱ�m�@|אr�hZ1y�`ncZ/Ipf��ulE;ேgɎ?eMr��sf2y�1[-+�ne�j�֒K0k,BH|�/TzۭM �P��܇'Vx�e86b[05|�JG��'s�fd��ES3R*�?DI=];b�NO_>���k�Ь19q�H�y��<=<�\{T=ذjsnƛ��_�˰{�7�CIF@e8�*�2g4(pPtQ��M>сWO-gYq�=Yy�Gmo�/CBmɥ6"g&ms�JZ��eIE�#�Rİ�ƺV4g?KXL/45`GWuyS/=fF>P�
7���2dg@3_u 3)V(`f?TNZk
�>�6X10�a HȂ���^@�
�b
$ uC�]�@-p�tF�4�4|p4vYD�XY8�1Ԏܶ,eF�/ngUqVYT_g�~db��Yf��r`@cPs4�2�L'|@=ͮJ<7J�&�}Ɋ`F( B��&C[O,Kgh.kr�*5
`�{5M�6�N�I-�KUY��A��}H�p$�
Wx��\�t!! =�OZd?�+!B3*-?/%z�bIQ$>y/ӛ87m]"�#<ε�Smח,aN~C�{Q@UUS[sF�
pP�wTP$4�_]P�MzR�.�~R4` ^�@��ij�*R\�OXM�YthNRп."��H)HOY˷"`i�-:ݻV�izV"&C��pK�k7; rb-
D-%P
mꒉK[ͳ}2}��^�q*eR�.`Q�D�UJT嵈˂EIeB�`]��R9�p)^6$�{�6�#�B" ��WA'/Ct�vc;RE¶T}5R2�{9@d�K|y�H_D>I�g't͙;`RP9dЖ0TGI�a]�FdI�렷FV�.�22�㩸�zGrQQQQ[QKBr;j,�_ߜzA5+JI3`gt��@�Z�t7}i!k3�)KzO�5���H%1\ҁ}=KB9��0뵀;y1Q�^�c d�I�ؒԷМk.p;n��-.#}1�J�j~dq�M�G$�Kb%1XM)٣��]O�kB>/GYcb�[����*-Z.-e`O>E1Ib<;&p7<�Q�o/�K!mI\p7snK]ҕ܀�X��J2^U'"@4TCg�{t=�o;ƶ%[RBߥ:�ڏ.<9A7u%خcWgV2 V&X_1�l;xՀ�ەrx˟H�S\L V��`iWN�;�C*VXZC ╔#�`IL�C"���bz��!"vB@c[Rɫe;�O=
Txwm1@Oc�K�-�HMd}%c�K�Gq.c�l=�jx�[�[g.iޫlllll �ԯ�9��-ZRw��=�A�ڷ`AO6�kJX5q�_B��ˏ�@�Lwcw̗ ݇�B�rI�!q��!�B�cX�ۖ�{�4�+(g�}�,f% �`�PKNd�K鷷馃.�-P
S��NC,#qDX�U`{'s��X�l1�#3�5,��Y8:uCa!
2_elF}"�-P��^ q?e�W �3s0xN/mƋ��ۜ�*[�H4W�Y'Z�h�೫Y[O8=�N���Qh�aq,p`D�#�ק'<�!!.3*5!T«Yw˃�b=W2c$-(e3nƢI�ı3)bs#�P
BIF�|=͟@VƳZ3�\,OyLkB�*݄_|�D#ŷfn7u/L`!}��
DASM�l߽�-!)LfDRr�m�5�[�o�6௺eqlau*�
Ǖ�Fxe�νc�
J>a5?�rW闺UP�>oqhpЄ|��-iY?Ȁ{|6=0�h* V�S&p�]}�r�Ec�|co��6��icP~0��݃vOe�#1�RP�i!F{�Kb+�J7�F$#яhk+J% ���I�J-9#G�S��^�a�,R
+p�����(L,�Tw<ƽG�7�/͛I~�oYKC�c;m.95�1E�>��R>&sj`Z-�*9�}; G ]N1x}��[?L̀+5&L|8ZP:qQ&�f{ԑ8mxjXF<4
EC*AE�L>��D��˧xxX �b�k?LO>^/�٘}�؋�b>>��m`w��n鮥��w^(]�sO D;'}C�@7ݹHm+nAB�Ze�Cl*n-5�n�͜Ot)6AP�;
s̑jۋuN퇩ў2,9)W��p�ʹG[Vj湐�.04&n��SX��l6��a �-��DSeg~RߊuX�x0add+jO5T
j>
1غt'j>|\�3ZIpx�״5B7�٢[q4*T�G�i9�cD�U<�1�1t+PjN�TL0YI��RG�$y'-bW�d"$@���>��_�f@�%j/ۃA��VC3Gym"���|j�yh;fx��p*2
Fnȹ�!� ȅ� Cg�n("[`O�/�
(ZP�9&A�3�,��V2���AG�׆�~bI *͕$\�}�~V�[�
�h`��k̃2uEܹ�]ep?�GAa2?u:�a��X棙�` ܳ�AN�:�ի
|g�#�`�>scr3��RS¤vxgT+m@�<�Plt4'�<,ԐtMO_�zwj꾌�A��B�p)4f])B9L UZ�S"_3�ʰ�LXQʉp�/7)>f
;�e,+�=Mȕ@��ZA��Șp~�{�v@|
TBz،X\�S;�k4/?
iv?Oo:׃N/{xC
Zѷp+tsk}>]>\o:W\`%FoTo楶xQ(;OzY�m3=eNq*gڣE B"r4,x�j�e�^�*M`z~z���L"a^e5DU@
9��UA~պij6R[NAgy�Y7G>tɩcdH�>����r:h)�zQg
p�!>E/ۧ�һj�Jk%ꋲK ˌ_ _!��> A~/#�)}>�8h3O!t}�,�?/:Eg}~ktZ�пNF>ӹȇw2K?�?Ͽ��akt3�f�Y��v�?�taw>��f'U>A�ȿ�-#�|߫�+A{�eȟ�ȗ^|�ΠkQ�&~0~0~�@���>#��a|2 )��{AmF@�\$)c�f�5qv%s_5N2\�yU
�[Cϐg�g���z6:�ϕbW��~�> sg+�iW�KI0�tEų[L3cn5m:�v�ņB__�!FO��ٞ<�~��nC=rûH>#a0.�: 7Xx-C#�\<ڎNޝ{f0�8�O?�8oCdxH$ω�ޕٟC;�=W}(�8xZLԸ¢GpkQV
=�<5ØXg�zY~8=a}3R��zHy9nY=Ջ쓥=�u}�ςoDT�N)pB ;(RKtAc̝H?аs7�3Q$_
NW+u7\1��L@�Ԍn@R'9w>*%U-)UTj%wWrHiӃ�"8��),^bYd�mcY0=qaRШMk'l�yb*b+uԿc�rف:9�-Βc̓] �3_?A�r=fG#ܽ0t;��AWC.ҡ/'T.HԶ'x+�"�v"Гx/�j���h=$N�>�:!31Q9ւ�_�gwcx&%�mY d�v.ychE*6\J>�T~7(HbHq@>a��v8|#K'
ϻ9m�D$u�@g�
�t��Tt
|!� v3l]@�_v\4f�SL+4$R��xSF�Z�o0m�.�; ;C��:bx:vCA\U��C�恜2њKҺī14��=-_��!0^�p,\f hz 6�AF|�EKoA��y|w!ZQ�tERb05�yNvCFc��dD��x#b[p.@>PEg2R8WD
�^)Yb���d횙6qgScv@NDv�˫Pvx
Vs6�`]|˼+AѾ(Y�nw0w>L�5#=ZD&+8~mA=ae9�ڕ*zYD1ƃfݡCJ^��s�F5�$
l2=V*uf�利6��v�RmQ-(+N�?X71Ȟ�<N5}^�|lڕa=v�k��c�a&ngFb�k�
�fφŀ�nۤ_q�x�F|�/�X�ثu
2i^9FfB3l.#�Xͼ*;҆o/tQ\F$#01/�y암vlH�9��m=GPX�1'��N�R'�Qv7�`�F*)Au�Ұ·�� xsOeO�H"<-S}bqO:|Y{X/5bb8(/Z��0����
��9\Mhc{p�faf�J��m!裋�ȃg~�d>�]H�ȳ�`F,�ӊ�Hv"V윔|;2sh{۟Zs\THՇl~�H&)�,['�ЃD~xGs->иّ�>sχA�Ă+<"e�}%Ix~�+)/,ρ.?IG\`�8bG@xT,�ϗ P�Y۹|]*'��V]ώ�ί
|
Network Security & Hardware 
