Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Cisco Security Response

Wi-Fi Protected Setup PIN Brute Force Vulnerability

Document ID: 690

http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wps

Revision 4.0

Last Updated on 2012 February 29 20:15  UTC (GMT)

For Public Release 2012 January 11 16:00  UTC (GMT)


Contents

Response
Additional Information
Status of this Notice: Final
Revision History
Cisco Security Procedures

Cisco Response

On December 27th, 2011 US-CERT released VU#723755 available here:
http://www.kb.cert.org/vuls/id/723755

The US-CERT Vulnerability Note describes a vulnerability that exists in the Wi-Fi Alliance Wi-Fi Protected Setup (WPS) certification program. The WPS certification program is based on the Wi-Fi Simple Configuration protocol, in which an Access Point (AP) has a static PIN that allows access and configuration from an External Registrar (ER). An AP with WPS enabled and configured to use a static PIN will allow a WPS-capable ER, that provides the correct PIN, to join a properly secured network. A weakness in the protocol affects all APs that have a static PIN, and may allow an unauthenticated, remote attacker to use brute force calculations to determine the AP's PIN in a short amount of time.

The vulnerability is due to a flaw that allows an attacker to determine when the first four digits of the eight-digit PIN are known. This effectively reduces the PIN space from 107 or 10,000,000 possible values to 104 + 103, which is 11,000 possible values. The eighth digit of the PIN is utilized as a checksum of the first seven digits and does not contribute to the available PIN space. Because the PIN space has been significantly reduced, an attacker could find the WPS PIN in as little as a few hours.

The affected devices listed below implement a 60-second lockout after three unsuccessful attempts to authenticate to the device.  While this does not substantially mitigate this issue, it does increase the time to exploit the protocol weakness from a few hours to at most several days.  It is our recommendation to disable the WPS feature to prevent exploitation of this vulnerability. 

Vulnerable Products:

Product Name
Is the WPS feature enabled by default?
Can the WPS feature be permanently disabled?
Access Points
Cisco WAP4410N
Yes No
Unified Communications
Cisco UC320W
Yes
Yes (See Note 2)
Wireless Routers/VPN/Firewall Devices
Cisco RV110W
Yes Yes
Cisco RV120W
No Yes
Cisco SRP521W
Yes Yes
Cisco SRP526W
Yes Yes
Cisco SRP527W
Yes Yes
Cisco SRP541W
Yes Yes
Cisco SRP546W
Yes Yes
Cisco SRP547W
Yes Yes
Cisco WRP400
Yes No

Note 1: The Cisco Valet product line is maintained by the Cisco Linksys Business Unit. Information concerning the Cisco Valet line as well as information on Linksys by Cisco products is available at http://www6.nohold.net/Cisco2/ukp.aspx?vw=1&articleid=25154

Note 2: The UC320W series devices can be configured to disable WPS through a Platform Modification File (PMF).  A PMF to accomplish this has been posted as DisableWPS.pmf at the following link: https://supportforums.cisco.com/docs/DOC-16301

Products Under Investigation:

Product Name
Is the WPS feature enabled by default?
Can the WPS feature be permanently disabled?
Cable and DSL Home Access Products
Cisco DPC/EPC2320
Under Investigation Under Investigation
Cisco DPC/EPC2325
Under Investigation
Under Investigation
Cisco DPC/EPC2325R2
Under Investigation Under Investigation
Cisco DPC/EPC2420
Under Investigation Under Investigation
Cisco DPC/EPC/DPQ2425
Under Investigation Under Investigation
Cisco DPC/EPC2425R2
Under Investigation Under Investigation
Cisco DPC/EPC2434
Under Investigation Under Investigation
Cisco DPC/EPC3825
Under Investigation Under Investigation
Cisco DPC/EPC3827
Under Investigation Under Investigation
Cisco DPC/EPC/DPQ3925
Under Investigation Under Investigation

Products Confirmed Not Vulnerable:

Product Name
Not Affected Reason
Access Points/Wireless Bridges
Cisco AP541N
Does not support WPS
Cisco WAP200
Does not support WPS
Cisco WAP200E
Does not support WPS
Cisco WAP2000
Does not support WPS
Cisco WET200
Does not support WPS
Unified Communications
Cisco UC500 Series
Does not support WPS
Wireless Cameras
Cisco WVC210
Does not support WPS
Cisco WVC2300
Does not support WPS
Wireless Routers/VPN/Firewall Devices
Cisco SA520W
WPS not enabled by default
Does not support PIN-ER configuration Mode
Cisco RV220W
Does not support WPS
Cisco WRV210
Does not support WPS
Cisco WRVS4400N
Does not support WPS

Additional Information

Workarounds:

Disable the Wi-Fi Protected Setup feature on devices that allow the feature to be disabled, as listed in the Vulnerable Products table.  Cisco Systems has verified that the products that support disabling the WPS feature do indeed disable it and are not vulnerable once the feature has been disabled from the management interface.

Fixed Software:

Product Name
Fixed Software
Cisco WAP4410N
To Be Released
Cisco RV110W
To Be Released
Cisco RV120W
To Be Released
Cisco UC320W
To Be Released
Cisco SRP521W
To Be Released
Cisco SRP526W
To Be Released
Cisco SRP527W
To Be Released
Cisco SRP541W
To Be Released
Cisco SRP546W
To Be Released
Cisco SRP547W
To Be Released
Cisco WRP400
ETA: February 2012

Note: The Cisco Valet product line is maintained by the Cisco Linksys Business Unit. Information concerning the Cisco Valet line as well as information on Linksys by Cisco products is available at http://www6.nohold.net/Cisco2/ukp.aspx?vw=1&articleid=25154

Exploitation and Public Announcements:

Exploit code and functional attack tools that exploit the weakness within the WPS protocol have been released.

This vulnerability was discovered by Stefan Viehbock and Craig Heffner.

Status of this Notice: Final

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.


Revision History

Revision 4.0 2012-February-29 Updated the Can the WPS feature be permanently disabled? column of the table in the "Vulnerable Products" section for WAP4410N: changed from Yes to No. PSIRT would like to thank Bill Sanderson for pointing out this document error. Corrected the "Fixed Software" section to include the full product name of the WAP4410N.
Revision 3.0 2012-January-27 Updated text for clarity. Updated the Cisco UC320W WPS Disable status to Yes due to release of DisableWPS.pmf. Added Cable and DSL access products currently under investigation. Added a link to Linksys product documentation.
Revision 2.0 2012-January-18 Updated information for the Cisco WRP400.
Revision 1.1 2012-January-11 Corrected text mistakes in researcher's name.
Revision 1.0 2012-January-11 Initial public release.

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.


Download this document (PDF)
View Printable Version