Cisco updated this alert to provide additional information about affected products as well as additional updates to the alert.
Description
Cisco Lightweight Access Points contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.
The vulnerability is due to insufficient security protections during wireless access point association sequences. An unauthenticated, remote attacker could exploit this vulnerability by injecting malicious packets into the wireless network where newly added access points are seeking controllers. This action could allow the attacker to cause the device to associate to a rogue controller, preventing the device from servicing network clients. An exploit could result in a DoS condition.
Cisco has confirmed this vulnerability; however, software updates are not yet available.
Note: Cisco aims to follow-up with a timely patch for 6.0.x, which removes the Over-the-Air Provisioning (OTAP) discovery method and encrypts the information in the Radio Resource Management (RRM) Neighbor Discovery Packet.
Warning Indicators
Cisco Lightweight Wireless Access Point 1100, 1200, and 1300 Series devices are affected by this vulnerability. Models 801 and 521 are also affected by this vulnerability. Model 521 is only vulnerable when operating in lightweight mode.
Cisco Lightweight Wireless Access Point 1510 and 1520 mesh Access Points are not affected, because they do not use OTAP.
IntelliShield Analysis
Only wireless access points that are deployed without a setup configuration are vulnerable. Devices using Locally Significant Certificates (LSCs) or devices with preferred controller lists configured are not vulnerable.
To exploit this vulnerability, an attacker must be able to deploy a malicious (packet-injecting) Access Point within radio proximity of the location where Access Points are being installed, increasing the complexity of an attack. The attacker must also have the manufacturing-installed certificate present on the malicious Wireless LAN Controller.
If an exploit is successful, the access point may associate with the attacker's Wireless LAN Controller. Because the rogue Wireless LAN Controller cannot access the underlying RADIUS infrastructure, the rogue access point and Wireless LAN Controller cannot authenticate incoming users, preventing clients from associating to attacker-controlled access points. As a result, clients may not be able to access legitimate network resources, leading to a DoS condition.
Vendor Announcements
Cisco confirmed this vulnerability as Cisco bug ID CSCtb56664. This vulnerability was reported to Cisco by AirMagnet.
Impact
An unauthenticated, remote attacker could exploit this vulnerability to manipulate lightweight access point association communications, causing a vulnerable device to become associated to a malicious Wireless LAN Controller. An exploit could prevent the device from functioning properly, resulting in a DoS condition.
There is no risk of data loss or interception by the rogue access point or Wireless LAN Controller.
Technical Information
The vulnerability is due to insufficient security protections during wireless access point association sequences. At startup, lightweight wireless access points without a configuration use OTAP to seek out and associate with a Cisco Wireless LAN Controller.
Administrators may configure access points with a preferred controller list that will bypass the OTAP provisioning process. LSCs can be provisioned on Cisco access points and Wireless LAN Controllers and are used to authenticate the access points to the Wireless LAN Controller and vice versa. LSCs provide an additional layer of security due to the certificate authentication that is required between the Cisco access point and Wireless LAN Controller. When Cisco access points are provisioned with LSCs, they will not register to a rogue Wireless LAN Controller because the access point will not be able to properly authenticate it.
Devices without preconfigured controller lists or LSCs have no method of distinguishing valid controllers from malicious ones.
An unauthenticated, remote attacker could exploit this vulnerability by injecting RRM packets onto the wireless network while an unconfigured access point starts up. The injection of malicious RRM packets could manipulate the OTAP process to cause the device to associate to the attacker's controller.
As a result, wireless clients that are associating to the rogue access point will be unable to access legitimate network resources, resulting in a DoS condition.
Safeguards
Administrators are advised to preconfigure access points with preferred controller lists.
Administrators can use the Infrastructure Rogue Discovery feature of Cisco Wireless LAN Controllers to identify incorrectly associated access points, as described in Rogue Detection under Unified Wireless Networks.
Administrators are advised to implement a wireless intrusion prevention system (WIPS) or wireless intrusion detection system (WIDS) to help detect and prevent attacks that attempt to exploit this vulnerability.
On unsecured wireless networks, users should employ a VPN to protect sensitive data.
Administrators are advised to use firewalls with port-based access control lists (ACLs) at the router boundaries to prevent Lightweight Access Point Protocol (LWAPP) (UDP ports 12222 and 12223) and Control and Provisioning of Wireless Access Points (CAPWAP) (UDP ports 5246 and 5247) traffic from transitioning the boundaries.
Administrators are advised to monitor critical systems.
Patches/Software
Patches and software updates are not available.
Alert History
Version 2, August 25, 2009, 2:27 PM: Cisco updated this alert to clarify that the affected product is the Cisco Lightweight Access Point.
Version 1, August 25, 2009, 1:03 PM: Cisco Lightweight Access Points contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Updates are not available.
The security vulnerability applies to the following combinations of products.
Primary Products:
Cisco
Cisco Aironet
1100 Base | 1130 Base | 1130AG Base | 1131 Base | 1140 Base | 1200 Base | 1230 Base | 1230AG Base | 1240 Base | 1240AG Base | 1250 Base | 1310 Base | 521 Base | 801 Base
Associated Products:
N/A
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment. Cisco is pleased to offer a free trial of the service.
To register for full access, please visit the IntelliShield trial registration page.
LEGAL DISCLAIMER The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
