Vulnerability Alert

Cisco Lightweight Access Point Over-the-Air Provisioning Manipulation Vulnerability

 
Threat Type:CWE-287: Authentication Issues
IntelliShield ID:18919
Version:3
First Published:2009 August 25 17:03 GMT
Last Published:2009 September 10 18:44 GMT
Port: Not available
CVE:CVE-2009-2861
Urgency:Unlikely Use
Credibility:Confirmed
Severity:Mild Damage
CVSS Base:4.3 CVSS Calculator
CVSS Version 2.0
CVSS Temporal:3.7
 
Version Summary:

Cisco updated this alert to provide additional information about affected products as well as additional updates to the alert.

 
 
Description

Cisco Lightweight Access Points contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

The vulnerability is due to insufficient security protections during wireless access point association sequences.? An unauthenticated, remote attacker could exploit this vulnerability by injecting malicious packets into the wireless network where newly added access points are seeking controllers.? This action could allow the attacker to cause the device to associate to a rogue controller, preventing the device from servicing network clients.? An exploit could result in a DoS condition.

Cisco has confirmed this vulnerability; however, software updates are not yet available.

Note: Cisco aims to follow-up with a timely patch for 6.0.x, which removes the Over-the-Air Provisioning (OTAP) discovery method and encrypts the information in the Radio Resource Management (RRM) Neighbor Discovery Packet.

 
Warning Indicators

Cisco Lightweight Wireless Access Point 1100, 1200, and 1300 Series devices are affected by this vulnerability.? Models 801 and 521 are also affected by this vulnerability. Model 521 is only vulnerable when operating in lightweight mode.

Cisco Lightweight Wireless Access Point 1510 and 1520 mesh Access Points are not affected, because they do not use OTAP.

 
IntelliShield Analysis

Only wireless access points that are deployed without a setup configuration are vulnerable.  Devices using Locally Significant Certificates (LSCs) or devices with preferred controller lists configured are not vulnerable.

To exploit this vulnerability, an attacker must be able to deploy a malicious (packet-injecting) Access Point within radio proximity of the location where Access Points are being installed, increasing the complexity of an attack.  The attacker must also have the manufacturing-installed certificate present on the malicious Wireless LAN Controller.

If an exploit is successful, the access point may associate with the attacker's Wireless LAN Controller.  Because the rogue Wireless LAN Controller cannot access the underlying RADIUS infrastructure, the rogue access point and Wireless LAN Controller cannot authenticate incoming users, preventing clients from associating to attacker-controlled access points.  As a result, clients may not be able to access legitimate network resources, leading to a DoS condition.

 
Vendor Announcements

Cisco confirmed this vulnerability as Cisco bug ID CSCtb56664.? This vulnerability was reported to Cisco by AirMagnet.

 
Impact

An unauthenticated, remote attacker could exploit this vulnerability to manipulate lightweight access point association communications, causing a vulnerable device to become associated to a malicious Wireless LAN Controller.? An exploit could prevent?the device from functioning properly, resulting in a DoS condition.

There is no risk of data loss or interception by the rogue access point or Wireless LAN Controller.

 
Technical Information

The vulnerability is due to insufficient security protections during wireless access point association sequences.? At startup,?lightweight wireless access points without a configuration use?OTAP to seek out and associate with a Cisco Wireless LAN Controller.?

Administrators may configure?access points with a?preferred controller list that will bypass the OTAP?provisioning process.??LSCs can be provisioned on Cisco?access points?and Wireless LAN Controllers and are used to authenticate the access points to the Wireless LAN Controller and vice versa.? LSCs provide an additional layer of security due to the certificate authentication that is required between the Cisco access point and Wireless LAN Controller. When Cisco access points are provisioned with LSCs, they will not register to a rogue Wireless LAN Controller because the access point will not be able to properly authenticate it.?

Devices without preconfigured controller lists or LSCs have no method of distinguishing valid controllers from malicious ones.

An unauthenticated, remote attacker could exploit this vulnerability by injecting?RRM packets onto the wireless network while an unconfigured access point starts up.? The injection of malicious RRM packets could manipulate the OTAP process?to cause the device to associate to the attacker's controller.?

As a result, wireless clients that are associating?to the rogue access point?will be unable to access legitimate network resources, resulting in a DoS condition.

 
Safeguards

Administrators are advised to preconfigure access points with preferred controller lists.

Administrators may consider employing LSCs to ensure access points associate only with authorized controllers, as described in the Locally Significant Certificates on Wireless LAN Controllers Configuration Example.

Administrators can?use the Infrastructure Rogue Discovery feature of Cisco Wireless LAN Controllers to identify incorrectly associated access points, as described in Rogue Detection under Unified Wireless Networks.

Administrators are advised to implement a wireless intrusion prevention system (WIPS) or wireless?intrusion detection system (WIDS) to help detect and prevent attacks that attempt to exploit this vulnerability.

On unsecured wireless networks, users should employ a VPN to protect sensitive data.

Administrators are advised to use firewalls with port-based access control lists (ACLs) at the router boundaries to prevent Lightweight Access Point Protocol (LWAPP) (UDP ports 12222 and 12223) and Control and Provisioning of Wireless Access Points (CAPWAP) (UDP ports 5246 and 5247) traffic from?transitioning the boundaries.

Administrators are advised to monitor critical systems.

 
Patches/Software

Patches and software updates are not available.

 
Alert History
 

Version 2, August 25, 2009, 2:27 PM:? Cisco updated this alert to clarify that the affected product is the Cisco Lightweight Access Point.

Version 1, August 25, 2009, 1:03 PM: Cisco Lightweight Access Points contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition.? Updates are not available.



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
N/A

Associated Products:
N/A




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield