According to AirMagnet's Intrusion Research Team, the vulnerability, announced Aug. 25, lies in Cisco's OTAP (Over-the-Air-Provisioning) feature, which helps users deploy WAPs (wireless access points). OTAP allows access points to discover the management IP address of the WLAN controller.
However, the feature can also expose network information. The access points can be incorrectly assigned to an outside Cisco controller by an attacker-an exploit AirMagnet terms a SkyJack.
"As part of the Over-the-Air-Provisioning feature, Cisco APs regularly broadcast a variety of configuration information including the IP and MAC [media access control] address of the controller where the AP is currently connected," said Wade Williamson, AirMagnet's director of product management. "Unfortunately, anyone else listening to the air can do the same thing, as this information is in the clear ... there is seemingly no way to make the Cisco APs not broadcast this information even if the OTAP feature is turned off."
Hackers can make use of this OTAP behavior and inject fake AP traffic into the air with a fake address that points the new AP back to the hacker's server or controller, Williamson said. An attacker can essentially take control of the AP and also create a breach in the wired network, he added.
In response, Cisco issued an advisory Aug. 25 characterizing the vulnerability as relatively mild. According to Cisco, the issue is caused by insufficient protections during WAP association sequences, and can be exploited to cause a denial of service.
Cisco advises administrators to preconfigure access points with preferred controller lists to deal with the issue. In addition, admins can also use the Infrastructure Rogue Discovery feature of Cisco Wireless LAN Controllers to identity incorrectly associated access points. More advice is available in the advisory.
"To exploit this vulnerability, an attacker must be able to deploy a Cisco Wireless LAN Controller system within radio proximity of the location where access points are being installed, increasing the complexity of an attack," the advisory stated. "The attacker must also have the manufacturing-installed certificate present on the malicious Wireless LAN Controller."
Williamson noted that although the window of the exposure is relatively narrow, the impact of the exploit if it succeeds is quite large.
"To have an outsider turn one of your own APs rogue and be connected through a wired network is a severe breach," he said. "To make matters more complicated, it's not out of the realm of possibility that a hacker could create his own luck-remember that OTAP tells him exactly where to find the wireless LAN controllers. If he can take down the controller or network with a denial-of-service attack using this information, he could potentially SkyJack an AP when the network comes back up."