[NEWS] Multiple Vulnerabilities In Cisco AP1x00

From: SecuriTeam (support_at_securiteam.com)
Date: 07/31/03

  • Next message: SecuriTeam: "[NT] Shattering SEH" 
    To: list@securiteam.com
Date: 31 Jul 2003 13:48:32 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Get Thawte's New Step-by-Step SSL Guide for Apache.
    In this guide you will find out how to test, purchase,
    install and use a Thawte Digital Certificate on you Apache web server.
    Throughout, best practices for set-up are highlighted to help you
    ensure efficient ongoing management of your encryption keys and digital
    certificates. Get you copy of this new guide now:
    http://ad.doubleclick.net/clk;5903117;8265118;i

    - - - - - - - - -

      Multiple Vulnerabilities In Cisco AP1x00
    ------------------------------------------------------------------------

    SUMMARY

    Cisco Aironet 1100 Series Access Point is a device manufactured by Cisco
    Systems offering a WLAN solution based on the 802.11b WiFi standard.

    Two security vulnerabilities have been found in the product, the Aironet
    Bridge is vulnerable to a Brute Force attack revealing if an account
    exists or not and the Aironet Bridge is vulnerable to a denial of service.
    Both these vulnerabilities can be exploited remotely by an attacker.

    DETAILS

    Vulnerable Systems:
     * Firmware 12.2(A)JA and earlier.

    Malformed HTTP Request Crash Vulnerability
    It is possible to cause Cisco Aironet Access Point to crash and reboot if
    the HTTP server feature is enabled. This can be accomplished by submitting
    a specially crafted request to the web server. There is no need to
    authenticate to perform this attack, only access to the web server is
    required. The Aironet Bridge reboots upon receiving the request and
    failing to handle correctly this one. Afterwards, no further access to the
    WLAN or its services is possible.

    Workaround:
     * If not needed - disable access to the web feature on the Aironet
    Bridge.
     * If needed - restrict access to the HTTP service for outside
    connections.

    Valid Account Disclosure
    A flaw in firmware version 12.2(4)JA and earlier allows a malicious remote
    user to discover which accounts are valid on the targeted Cisco Aironet
    Access Point by using classical brute force techniques. Exploitation of
    this flaw is possible if the telnet service is enabled with
    authentication.

    If an attacker submits an existing account as login, he will be then
    prompted for the password. If not the case, a "% Login invalid" reply will
    be displayed by the server, revealing the account does not exist. By
    default on the Aironet AP1100, the 'cisco' account is set and is prompted
    for a password when submitted. That default account then allows an
    attacker to determine if this flaw on the remote device is patched or not.
    This may lead to further serious attacks.

    Workaround:
    Restrict access to your telnet service from outside your WLAN. A stronger
    authentication mechanism, such as SSH can also be implemented.

    ADDITIONAL INFORMATION

    The official Cisco advisory can be found at:
    <http://www.cisco.com/warp/public/707/cisco-sn-20030724-ios-enum.shtml>
    http://www.cisco.com/warp/public/707/cisco-sn-20030724-ios-enum.shtml

    The information was provided by <mailto:reda.zitouni@vigilante.com> Reda
    Zitouni

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Shattering SEH"