Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] Cisco Airespace Wireless LAN Controllers Allow Unencrypted Networ

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] Cisco Airespace Wireless LAN Controllers Allow Unencrypted Network Access
Date: 6 Nov 2005 14:24:33 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Cisco Airespace Wireless LAN Controllers Allow Unencrypted Network Access
------------------------------------------------------------------------


SUMMARY

Cisco Access Points operating in Lightweight Access Point Protocol (LWAPP) 
mode may allow unauthenticated end hosts to send unencrypted traffic to a 
secure network by sending frames from the Media Access Control (MAC) 
address of an already authenticated end host.

Only the access points that are operating in LWAPP (i.e., controlled by a 
separate Wireless LAN Controller) mode are affected. Access points that 
are running in autonomous mode are not affected.

Cisco has made free software available to address this vulnerability for 
affected customers.

DETAILS

Affected Products:
Vulnerable Products:
Cisco 1200, 1131, and 1240 series access points controlled by Cisco 2000 
and 4400 series Airespace Wireless LAN (WLAN) Controllers that are running 
software version 3.1.59.24 are affected by this vulnerability.

This issue is only applicable to deployments where there is a separate 
WLAN controller. Any system without a separate WLAN controller is not 
vulnerable.

Products Confirmed Not Vulnerable:
 * Access points other than Cisco 1200, 1131 and 1240 series are not 
affected.
 * Access points that are deployed without a separate WLAN controller are 
not affected.
 * Access points that are controlled by WLAN controllers other than Cisco 
2000 and 4400 series are not affected.
 * Access points that are controlled by WLAN controllers which are running 
a software version other than 3.1.59.24 are not affected.
 * Access points that are running in autonomous mode are not affected.
 * Access points that are running VxWorks are not affected.

No other Cisco products are currently known to be affected by these 
vulnerabilities.

Details:
LWAPP is an open protocol for access point management. In this mode of 
operation, a WLAN controller system is used to create and enforce policies 
across multiple different lightweight access points. All functions 
essential to WLAN operations are centrally controlled by WLAN controllers. 
In this mode of operation, Cisco access points run a simplified version of 
Cisco IOS . It is not possible to enter into configuration mode and 
configure access points individually in this mode. More information on 
LWAPP mode of operation can be found at the following URL:  
<http://www.cisco.com/en/US/netsol/ns340/ns394/ns348/ns337/networking_solutions_white_paper0900aecd802c18ee.shtml>
 Understanding the Lightweight Access Point Protocol (LWAPP)

A Cisco access point running in LWAPP mode can be checked by issuing the 
following command from the console.
configure terminal

Access points running in LWAPP mode will not allow the user to enter into 
configuration mode, but will return an error message instead as shown in 
the following output.

AP000e.8466.5786>enable
  AP000e.8466.5786#configure terminal
                    ^
  % Invalid input detected at '^' marker.
      
  AP000e.8466.5786#

The alternative to LWAPP mode is the autonomous mode of operation. In this 
mode, the access points are configured individually and run either VxWorks 
or Cisco IOS operating systems.

Cisco 1200, 1131 and 1240 series access points that are controlled by 2000 
or 4400 WLAN controllers in LWAPP mode of operation may accept unencrypted 
traffic from end hosts even when configured to encrypt traffic. Such 
traffic needs to be sourced from the MAC address of a legitimate, already 
authenticated end host. By exploiting this vulnerability, an attacker may 
send malicious traffic into a secure network. Legitimate end hosts will 
still communicate with the access point in an encrypted manner.

Only the access points that are running in LWAPP mode are affected by this 
vulnerability. Access points that are running in autonomous mode are not 
affected.

In LWAPP mode, access points download their software from the WLAN 
controller. Therefore, a software upgrade on the WLAN controller is 
required to address this vulnerability.

This issue is documented by the Cisco bug ID CSCsc11134 (registered 
customers only).

Impact:
Successful exploitation of the vulnerability may allow an attacker to send 
malicious traffic to a secure wireless network via an access point that is 
controlled by an affected WLAN controller.

Software Versions and Fixes:
When considering software upgrades, please also consult  
<http://www.cisco.com/en/US/products/products_security_advisories_listing.html> 
http://www.cisco.com/en/US/products/products_security_advisories_listing.html 
and any subsequent advisories to determine exposure and a complete upgrade 
solution.

In all cases, customers should exercise caution to be certain the devices 
to be upgraded contain sufficient memory and that current hardware and 
software configurations will continue to be supported properly by the new 
release. If the information is not clear, contact the Cisco Technical 
Assistance Center ("TAC") for assistance.

In LWAPP mode of operation, it is not possible to change the software on 
the access points individually. Access points download their software from 
the WLAN controller. Therefore, a software upgrade on the WLAN controller 
is required. This issue is fixed in version 3.1.105.0 of WLAN controller 
software.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:psirt@cisco.com> Cisco 
Systems Product Security Incident Response Team.
The original article can be found at:  
<http://www.cisco.com/warp/public/707/cisco-sa-20051102-lwapp.shtml> 
http://www.cisco.com/warp/public/707/cisco-sa-20051102-lwapp.shtml



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] Cisco Airespace Wireless LAN Controllers Allow Unencrypted Network Access, SecuriTeam <=
Previous by Date:  [NEWS] FlatFrag Multiple Buffer Overflow and DoS, SecuriTeam
Next by Date:  [EXPL] Microsoft Windows UMPNPMGR Remote (Exploit, MS05-047), SecuriTeam
Previous by Thread:  [NEWS] FlatFrag Multiple Buffer Overflow and DoS, SecuriTeam
Next by Thread:  [EXPL] Microsoft Windows UMPNPMGR Remote (Exploit, MS05-047), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]