Vulnerability, Potential Exploit In Cisco WLAN APs

← Back to Stories (view on slashdot.org)

Vulnerability, Potential Exploit In Cisco WLAN APs

Posted by timothy on Tuesday August 25, 2009 @12:37AM from the just-wrap-it-in-tin-foil dept.

An anonymous reader writes "The AirMagnet Intrusion Research Team has uncovered a new wireless vulnerability and potential exploit associated with Cisco wireless LAN infrastructure. The vulnerability involves Cisco's Over-the-Air-Provisioning (OTAP) feature found in its wireless access points. The potential exploit, dubbed SkyJack by AirMagnet, creates a situation whereby control of a Cisco AP can be obtained, whether intentionally or unintentionally, to gain access to a customer's wireless LAN."

35 comments

Min score:

Reason:

Sort:

say that again? by Loconut1389 · 2009-08-25 00:54 · Score: 1

exploit, unintentionally?
1. Re:say that again? by Architect_sasyr · 2009-08-25 01:56 · Score: 1
  
  Some of the worst system compromises I have seen were done by a user who didn't realise that doing X was getting them so far.
  
  Hell, remember the old Windows where you could click Cancel to log in?
  
  --
  Me failed English...
  FreeBSD over Linux. If my comments seem odd, this may explain...
2. Re:say that again? by Loconut1389 · 2009-08-25 02:02 · Score: 2, Interesting
  
  I suppose I should clarify:
  Although the article states, "This ultimately could lead to an enterpriseÃ(TM)s access point connecting outside of the company to an outside controller, and therefore being under outside control." Most business buildings are both large and concrete, there's a reason you find many access points, it's because the signal doesn't travel well, even from the hall to the back of a hotel room.
  Most people don't carry around running access points, especially cisco ones, and just happen to have OTAP turned on. It seems pretty unlikely this would happen often or at all in the wild.
3. Re:say that again? by Icegryphon · 2009-08-25 02:18 · Score: 1
  
  yes but it would screw up drives mappings and credentials.
Unintentionally? by Thanshin · 2009-08-25 00:56 · Score: 2, Interesting

a situation whereby control of a Cisco AP can be obtained, whether intentionally or unintentionally, to gain access to a customer's wireless LAN.
Unintentionally?
It's one thing to accept that in the perpetual arms race you'll regularly fall behind and your job is to limit those situations to a manageable minimum. It's a completely differnt matter when a non threatening actor may stumble upon a vulnerability.
"Yes, sir, the bank doors do open automatically when a stray cat passes in front of it at night. You see, cats have precisely the size we didn't account for in our supersecure doors."
1. Re:Unintentionally? by fuzzyfuzzyfungus · 2009-08-25 01:46 · Score: 3, Insightful
  
  Given the amount of effort, particularly in consumer computer systems, to make things happen "automagically"(think DHCP, uPNP, zeroconf, autoconnecting to open APs, and the like), it is far from implausible that a system would unintentionally gain access to another system.
  
  If, say, you have a bog standard XP laptop, with a bittorrent client or other uPNP-using application running on it, and you start it up within range of an open AP, you could very well connect to somebody else's network and reconfigure their router all automatically. Never mind what might happen if your box is 0wn3d and full of malware that might attempt to automatically spread to other machines on the network you just joined.
  
  Technology has its share of "Golly shucks, officer, I dunno how this happened" excuses; but it also has huge amounts of automation going on.
2. Re:Unintentionally? by Anonymous Coward · 2009-08-25 01:47 · Score: 0
  
  How do you unintentionally gain access to something? How should I picture this? "Gee, officer, I was leaning against this door and then it suddenly opened and I tripped and then I must have stumbled into the jewelry box and all those rings just happened to pour into my pockets, dunno how this happened..."
  I've certainly seen weirder things. I remember one "enterprise" CRM application with a particularly stupid bug. If a regular user is entering data into the data entry form, and decides to hit the enter key while entering text into a multi-line box (similar to the slashdot comment box), the entire application comes to a complete halt, and you have to go into the backend sql database to edit the tables directly to get it to work again.
  It was a complete POS.
3. Re:Unintentionally? by Opportunist · 2009-08-25 02:26 · Score: 2, Interesting
  
  Good arguments.
  Ok, then we should try to work out a way that disallows this. Guess it comes down to good ol' security and lack thereof. Not necessarily on the "culprit"'s side, i.e. the one (or the one's computer, respectively) that trespasses, more on the side of a piece of autoconf'-able piece of hardware that isn't secured properly.
  So who's to blame if something like this happens?
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
4. Re:Unintentionally? by fuzzyfuzzyfungus · 2009-08-25 02:55 · Score: 2, Interesting
  
  I'd make an exception if malign intent could be demonstrated(ie. deliberately infecting a nasty XP home box with all sorts of horrible stuff, then "innocently" placing it on a private-but-not-all-that-secure network with intent to cause trouble); but I'd generally be very unwilling to blame for hacking anybody who is just using common technology, right out of the box, with an ordinary level of knowledge.
  
  The only real fix would be better security on the side of the autoconfigurable hardware. Unfortunately, that would likely add either cost or inconvenience, or both, so I'm not sure how to push it. One concrete step, though, that I'd like to see, would be some clever thinking on making devices easier to provision without potentially dangerous trust.
  
  For instance, in this case, the "over-the-air-configuration" stuff is obviously there for ease and convenience; but introduces security concerns. In a lot of cases, though probably not all, a device is handled at least once before being installed(if only by the guy taking it out of the box). If there were a couple of contacts on the case, containing power and a low cost bus(i2c, 1-wire, ttl serial, whatever) and a matching cradle, you could have the installers do an offline key-fill. Have the device ship, unconfigured, such that if it has no prior configuration, it will listen on that bus. Afterwards it no longer will. The installer will pull it out of the box, pop it in the cradle for ten seconds, it'll get the public key of your AP controller over that bus, and will then refuse to take orders from any controller with a different key, and will not listen to that bus in the future.
  
  Something like that would add only a few cents to manufacturing cost, and a few seconds to install time; but would(barring hideous implementation flaws) allow 95% of the autoconfiguration without the security risks.
5. Re:Unintentionally? by Opportunist · 2009-08-25 17:55 · Score: 1
  
  I'd make it a requirement to connect at least once with a cable to do the initial configuration, where you must enter some sort of passphrase which is then used to authenticate. That way even some permanently broadcasting malware that tries to hijack the WiFi hardware before you could configure it will be locked out. It's not that much of a hassle for the user and the steps required could be put into the manual. Linksys already has those "use this CD before plugging in" steps in its installation routine (even though doing this will more often than not result in your wireless connection becoming unusable...), so it can even be done in a step by step on screen installation routine.
  In general, though, your suggestion would increase security quite a bit. I think an AP vendor could even use it as a marketing tool in the current light of security problems. A "security enhanced" AP would probably be selling better than one that cannot boast such a feature.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Unintentionally? by Opportunist · 2009-08-25 01:00 · Score: 2, Insightful

How do you unintentionally gain access to something? How should I picture this? "Gee, officer, I was leaning against this door and then it suddenly opened and I tripped and then I must have stumbled into the jewelry box and all those rings just happened to pour into my pockets, dunno how this happened..."

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Config option, not all that bad by Boetsj · 2009-08-25 01:02 · Score: 4, Interesting

Apparently you can 'just' disable Over-the-Air-Provisioning (OTAP) to remove the threat, so it's not that big of a deal I'd say.
1. Re:Config option, not all that bad by jeffmeden · 2009-08-25 01:26 · Score: 3, Insightful
  
  Not a big deal if (a) you happened to already do this during rollout or (b) you are properly notified about this and config changes are trivial on your network. In cases where you have a very large network and no centralized configuration manager, you will have to sink a lot of time into this 'fix' and that's assuming you don't use OTAP. In the case that you do use OTAP, or in the case that you are too busy to notice this and/or too busy to spend time reconfiguring all the affected devices, then yes, it can be a 'big deal'.
2. Re:Config option, not all that bad by SlamMan · 2009-08-25 02:00 · Score: 2, Informative
  
  If you have a very large network and no centralized configuration manager, you're going to have a lot of problems every time any issue comes up that requires a change. Config managers don't have to be complicated or expensive (see RANCID or CatTools), but not having them inplace means a lot of needless legwork.
  
  --
  Mod point free since 2001
3. Re:Config option, not all that bad by 222 · 2009-08-25 02:44 · Score: 2, Informative
  
  Look at Kiwi CatTools. Its a couple hundred bucks and supports the management of hundreds of devices via scripted CLI. I use it to manage all of my Cisco devices for config backups, etc. If your org can't spare a couple hundred for this management utility, then you have bigger problems than wifi. Kiwi also does a TON of other neat things, like configuration comparisons side by side.
4. Re:Config option, not all that bad by cbiltcliffe · 2009-08-25 02:54 · Score: 2, Informative
  
  Config managers don't have to be complicated or expensive (see RANCID......
  We want......a SHRUBBERY!
  Ni...ni...ni!!!
  (For the mods....RANCID is a tool made by Shrubbery Networks....)
  
  --
  "City hall" in German is "Rathaus" Kinda explains a few things......
5. Re:Config option, not all that bad by Shawndeisi · 2009-08-25 04:23 · Score: 1
  
  The OTAP is going to be used only in a WLAN controller /lightweight AP environment. "central management" is a prerequisite to even start thinking about using OTAP.
6. Re:Config option, not all that bad by Anonymous Coward · 2009-08-25 04:37 · Score: 0
  
  Correct.
  1) Log into Cisco WLAN Controller
  2) Click Controller Tab
  3) "Disable" "Over The Air Provisioning"
  4) Hit Apply (top right)
  5) (Save configuration)
  6) Sip of Coffee
  7) Logout/Close browser
  8) Wait for AP's to grab new config
  I'm sure PROFIT is in there somewhere.
7. Re:Config option, not all that bad by hesaigo999ca · 2009-08-25 05:34 · Score: 1
  
  It should have been selected as OFF by default though...and most will not think to go looking for this vulnerability, if they even know it exists...!
8. Re:Config option, not all that bad by satcomjimmy · 2009-08-26 01:41 · Score: 1
  
  True, I manage an enterprise Cisco lightweight network and this is simply a check box in the controller config, which is also OFF BY DEFUALT. Every AP that associates to a controller takes it's config from the controller, so it is one check box to fix for the uninformed network manager or a waste of time reading and responding to everyone's e-mails getting in a huff about all the hype over a "serious security design flaw" for a feature those of us who understand it never had enabled. There are several other ways for the APs to find a controller, I prefer DHCP options. By the way, this is further nullified if like most network managers that use these on small scale, the APs and controllers reside on the same subnet so it is a simple layer 2 broadcast to find it's controller.
The only real security.... by 8127972 · 2009-08-25 01:06 · Score: 1

.... Is a wire from the computer to the network.

--
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
1. Re:The only real security.... by Krneki · 2009-08-25 01:13 · Score: 2, Interesting
  
  .... Is a wire from the computer to the network.
  There is no such thing as real security, the best you can hope for is secure enough, so no one wants to waste time with you.
  
  --
  Love many, trust a few, do harm to none.
2. Re:The only real security.... by flyingfsck · 2009-08-25 01:28 · Score: 1
  
  Not quite - wires also radiate. Google for TEMPEST.
  
  --
  Excuse me, but please get off my Pennisetum Clandestinum, eh!
3. Re:The only real security.... by Anonymous Coward · 2009-08-25 01:33 · Score: 2, Informative
  
  O RLY?
  "Power sockets can be used to eavesdrop on what people type on a computer."
  http://news.bbc.co.uk/2/hi/technology/8147534.stm
  In this case the hardwire is the problem.
4. Re:The only real security.... by Icegryphon · 2009-08-25 02:20 · Score: 1
  
  Google'd Tempest, ZOMG I loved that game!
5. Re:The only real security.... by Anonymous Coward · 2009-08-25 02:38 · Score: 0
  
  The only real security is disconnected, dismantled, and thrown into a vat of lava (preferably spread across multiple vats). If you require more flexibility, you take on some risk no matter what.
6. Re:The only real security.... by Archangel+Michael · 2009-08-25 03:10 · Score: 1
  
  Bingo.
  I'm dealing with this at my work right now. We have WAPs set with WEP all over the place, and yes, I know WEP has been cracked for a while and is trivial to break. However trying to secure WAPs while the rest of our infrastructure is wide open is as stupid as putting a bars and locks on the windows while the doggy door is unsecured.
  We're a school district, so I'm not worried about people hacking into the network via WAPs, especially when it would be easier to enter into an unoccupied classroom and plug right into the network jack.
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Article is not entirely correct by Anonymous Coward · 2009-08-25 02:09 · Score: 0

Understanding Over-the-Air Provisioning (OTAP):
http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a008093d74a.shtml
Disabling OTAP does not prevent the access points from sending the address of the wireless controller in RRM neighbor packets. Disabling OTAP prevents access points that learned the address of the controller over the air from joining the controller. Access points will join a controller that they learn over the air no matter what if they do not find one on the wire.
The best defense mechanism for this is turn on rogue access point detection. Cisco access points and controllers do this very well, and I believe it is on by default. If you have the WCS appliance, you can even use triangulation to get a map of where the controller thinks the rogue is.
Not an Exploit, A Slashvertizement by Kaboom13 · 2009-08-25 02:40 · Score: 1

If you actually read the article, you will realize this is a non-issue. Basically, if you install a new, non provisioned access point, it is vulnerable to being assigned to a fake controller. This won't give access to your network. It will give them control of a rogue AP, but that's about it. There is nothign here you couldn't do if you stuck an AP of your own somewhere nearby. The article gives no method for taking control of an existing provision access point, or gaining access to any data on the network. You can get some ip's of the Cisco controller, but if it's already on the wireless segment of your LAN that's not exactly top secret information. This "attack" is obvious from the very principle of how OTAP works. You plug in an AP, it finds the nearest Cisco controller, and pulls the necessary config. Anyone could see that's not secure. It's a feature designed for convenience in low security networks (aka the majority of wifi installations). Personally, I would never have trusted it to actually work reliably in the first place, and just configured the ap's before installing them.
The articles real motive is clear in the last paragraph:

Customers should also leverage a dedicated independent IDS system, like AirMagnet Enterprise â" capable of detecting wireless snooping with hacking tools to alert staff to the potential of an impending exploit. Furthermore, networking professionals should use such a monitoring system to validate that all corporate APs detected over the air are actually represented at the WLAN controller â" as any corporate AP that is not associated to a controller could be a serious security risk.

AKA buy their shit. Surprise surprise, a company that makes a tool to detect exploits in AP's found a "security vulnerability" that their program can help with.
1. Re:Not an Exploit, A Slashvertizement by sxedog · 2009-08-25 03:38 · Score: 1
  
  I was about to call the Network and Security Manager here and ask him about our config until I read that last paragraph. My Marketing Shill Meter went through the roof. This isn't /. worthy.
  
  --
  If it ain't broke, DON'T fix it.
This is why i disable by fast+turtle · 2009-08-25 05:14 · Score: 1

OTAP and UPNP from the beginning on any Linksys/Cisco hardware. Personally I see absolutely no reason even in a Home network to enable either of those features for just this possible reason. Sure it's a bit more effort to configure things using a wired connection. The main advantage is I don't have to worry about a badly implemented version of UPNP (lots of apps include it) that can screw MY internet connection up. Hell I don't even want the potential for someone to even use UPNP to configure my router so they can dl Porn or other garbage.

--
Mod me up/Mod me down: I wont frown as I've no crown
1. Re:This is why i disable by scottv67 · 2009-08-25 13:22 · Score: 1
  
  Sadly, the vulnerability has nothing to do with your home network or your single Linksys wireless router. OTAP is a feature on the LWAPP (now CAPWAP) wireless controllers from Cisco that is used when installing new access points.
Cisco security patches by Anonymous Coward · 2009-08-25 05:57 · Score: 0

Cisco messes up and releases buggy security challenged code and then makes you pay more than the hardware is worth just to be able to download an IOS update to fix a defect that should not have existed in the first place. Its soo incredibly fustrating to either have to live with known expliots or pay ransom to Cisco to fix it.
If it wasn't for our Russian friends I suspect many would have been done with this overpriced and overhyped vendor years ago.
CIA policy? by Anonymous Coward · 2009-08-26 00:08 · Score: 0

I thought it was CIA policy to always leave a hole in Cisco products? Why is this news? I have been a security professional for 20+ years and there has always been a remote root hole in every Cisco product. Some get discovered and replaced with a new hole in the patch. This is normal.