[NEWS] Cisco Airespace Wireless LAN Controllers Allow Unencrypted Network Access

From: SecuriTeam (support_at_securiteam.com)
Date: 11/06/05

  • Next message: SecuriTeam: "[EXPL] Microsoft Windows UMPNPMGR Remote (Exploit, MS05-047)" 
    To: list@securiteam.com
Date: 6 Nov 2005 14:24:33 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Cisco Airespace Wireless LAN Controllers Allow Unencrypted Network Access
    ------------------------------------------------------------------------

    SUMMARY

    Cisco Access Points operating in Lightweight Access Point Protocol (LWAPP)
    mode may allow unauthenticated end hosts to send unencrypted traffic to a
    secure network by sending frames from the Media Access Control (MAC)
    address of an already authenticated end host.

    Only the access points that are operating in LWAPP (i.e., controlled by a
    separate Wireless LAN Controller) mode are affected. Access points that
    are running in autonomous mode are not affected.

    Cisco has made free software available to address this vulnerability for
    affected customers.

    DETAILS

    Affected Products:
    Vulnerable Products:
    Cisco 1200, 1131, and 1240 series access points controlled by Cisco 2000
    and 4400 series Airespace Wireless LAN (WLAN) Controllers that are running
    software version 3.1.59.24 are affected by this vulnerability.

    This issue is only applicable to deployments where there is a separate
    WLAN controller. Any system without a separate WLAN controller is not
    vulnerable.

    Products Confirmed Not Vulnerable:
     * Access points other than Cisco 1200, 1131 and 1240 series are not
    affected.
     * Access points that are deployed without a separate WLAN controller are
    not affected.
     * Access points that are controlled by WLAN controllers other than Cisco
    2000 and 4400 series are not affected.
     * Access points that are controlled by WLAN controllers which are running
    a software version other than 3.1.59.24 are not affected.
     * Access points that are running in autonomous mode are not affected.
     * Access points that are running VxWorks are not affected.

    No other Cisco products are currently known to be affected by these
    vulnerabilities.

    Details:
    LWAPP is an open protocol for access point management. In this mode of
    operation, a WLAN controller system is used to create and enforce policies
    across multiple different lightweight access points. All functions
    essential to WLAN operations are centrally controlled by WLAN controllers.
    In this mode of operation, Cisco access points run a simplified version of
    Cisco IOS . It is not possible to enter into configuration mode and
    configure access points individually in this mode. More information on
    LWAPP mode of operation can be found at the following URL:
    <http://www.cisco.com/en/US/netsol/ns340/ns394/ns348/ns337/networking_solutions_white_paper0900aecd802c18ee.shtml> Understanding the Lightweight Access Point Protocol (LWAPP)

    A Cisco access point running in LWAPP mode can be checked by issuing the
    following command from the console.
    configure terminal

    Access points running in LWAPP mode will not allow the user to enter into
    configuration mode, but will return an error message instead as shown in
    the following output.

    AP000e.8466.5786>enable
      AP000e.8466.5786#configure terminal
                        ^
      % Invalid input detected at '^' marker.
          
      AP000e.8466.5786#

    The alternative to LWAPP mode is the autonomous mode of operation. In this
    mode, the access points are configured individually and run either VxWorks
    or Cisco IOS operating systems.

    Cisco 1200, 1131 and 1240 series access points that are controlled by 2000
    or 4400 WLAN controllers in LWAPP mode of operation may accept unencrypted
    traffic from end hosts even when configured to encrypt traffic. Such
    traffic needs to be sourced from the MAC address of a legitimate, already
    authenticated end host. By exploiting this vulnerability, an attacker may
    send malicious traffic into a secure network. Legitimate end hosts will
    still communicate with the access point in an encrypted manner.

    Only the access points that are running in LWAPP mode are affected by this
    vulnerability. Access points that are running in autonomous mode are not
    affected.

    In LWAPP mode, access points download their software from the WLAN
    controller. Therefore, a software upgrade on the WLAN controller is
    required to address this vulnerability.

    This issue is documented by the Cisco bug ID CSCsc11134 (registered
    customers only).

    Impact:
    Successful exploitation of the vulnerability may allow an attacker to send
    malicious traffic to a secure wireless network via an access point that is
    controlled by an affected WLAN controller.

    Software Versions and Fixes:
    When considering software upgrades, please also consult
    <http://www.cisco.com/en/US/products/products_security_advisories_listing.html> http://www.cisco.com/en/US/products/products_security_advisories_listing.html and any subsequent advisories to determine exposure and a complete upgrade solution.

    In all cases, customers should exercise caution to be certain the devices
    to be upgraded contain sufficient memory and that current hardware and
    software configurations will continue to be supported properly by the new
    release. If the information is not clear, contact the Cisco Technical
    Assistance Center ("TAC") for assistance.

    In LWAPP mode of operation, it is not possible to change the software on
    the access points individually. Access points download their software from
    the WLAN controller. Therefore, a software upgrade on the WLAN controller
    is required. This issue is fixed in version 3.1.105.0 of WLAN controller
    software.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:psirt@cisco.com> Cisco
    Systems Product Security Incident Response Team.
    The original article can be found at:
    <http://www.cisco.com/warp/public/707/cisco-sa-20051102-lwapp.shtml>
    http://www.cisco.com/warp/public/707/cisco-sa-20051102-lwapp.shtml

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] Microsoft Windows UMPNPMGR Remote (Exploit, MS05-047)"