[NT] Windows XP Disclosure of Registered AP Information

From: support@securiteam.com
Date: 12/05/02

  • Next message: support@securiteam.com: "[NT] Remote Heap malloc/free and Multiple Overflow Vulnerability in WSMP3" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 5 Dec 2002 23:05:40 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Windows XP Disclosure of Registered AP Information
    ------------------------------------------------------------------------

    SUMMARY

    Windows XP's wireless LAN feature may disclose registered access points
    information.

    Packets encrypted with WEP could be sent out even if the radio wave of the
    original access point does not propagate well.

    There is a risk that the list of SSID values assigned to registered access
    points and the packets encrypted with WEP may be intercepted and
    decrypted.

    DETAILS

    Windows XP machines utilizing wireless LAN automatically search for
    available access points. If not found, requests are continuously sent for
    already registered access points available until connection is achieved.

    If an access point with the same SSID as of an access point already
    configured for XP is installed, Windows XP will recognize it as the same
    access point. Windows XP will then encrypt packets with WEP and start
    transmission.

    Information regarding registered SSIDs can be obtained from available
    inquiry packets by using a packet monitoring tool for wireless LAN.

    Additionally, packets encrypted with WEP of any registered access point
    for Windows XP machines can also be intercepted by establishing an access
    point with the same SSID.

    As the functions to search for available access points and to send inquiry
    requests are always enabled, Windows XP machines using wireless LAN
    feature will leak SSID information of registered access points if they
    cannot establish a connection with an available access point.

    In addition, WEP is susceptible to some already known vulnerabilities.
    Data encrypted with 40-bit keys can be decrypted through brute force
    attacks in a short period of time. In the case of 104-bit encryption use,
    it has been reported that data can be decrypted in approximately two
    weeks.

    Consequently, sending out packets encrypted with WEP is not a recommended
    security practice in an environment where the original access points are
    not available.

    Refer to the following URL for explanatory figures:
    <http://www.lac.co.jp/security/english/snsadv_e/60_e.html>
    http://www.lac.co.jp/security/english/snsadv_e/60_e.html

    Solution:
    Disable the wireless LAN function of Windows XP and use drivers made from
    third-parties that are not susceptible to the problem described above.

    Vendor status:
    After carrying out discussions with the Security Response Team of
    Microsoft Asia Limited, who was informed about this issue on August 30,
    2002, the conclusion drawn was that the problem was related to the
    software specification. Therefore, consent from the Security Response Team
    of Microsoft Asia Limited was obtained to publish this advisory.

    ADDITIONAL INFORMATION

    The original advisory can be downloaded from:
     <http://www.lac.co.jp/security/english/snsadv_e/60_e.html>
    http://www.lac.co.jp/security/english/snsadv_e/60_e.html

    The information has been provided by <mailto:n-miwa@lac.co.jp> Nobuo Miwa
    of <mailto:snsadv@lac.co.jp> SNS Advisory.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

    Relevant Pages

    • [NT] Cumulative Security Update for Internet Explorer (MS04-025)
      ... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ...
      (Securiteam)
    • [NT] Vulnerability in HTML Help Allows Code Execution (MS05-001)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service ...
      (Securiteam)
    • Re: The Myth of the secure Mac
      ... OEM Windows XP Home goes for a bit under $100. ... >> secure than Home. ... Though this really has nothing to do with security. ... Microsoft counts on third-party developers to provide more ...
      (comp.sys.mac.advocacy)
    • SecurityFocus Microsoft Newsletter # 149
      ... MICROSOFT VULNERABILITY SUMMARY ... EveryBuddy Long Message Denial Of Service Vulnerability ... Intellitactics Network Security Manager ... Windows operating systems. ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #120
      ... Strengthening Network Security: FREE Guide Network security is a ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows File Protection Signed File Replacement... ... PlatinumFTPServer Information Disclosure Vulnerability ...
      (Focus-Microsoft)