ISS Security Advisory: Wired-side SNMP WEP key exposure in 802.11 b Access Points

[ISS XForce <xforce () iss net>]

Internet Security Systems Security Advisory
June 20, 2001

Wired-side SNMP WEP key exposure in 802.11b Access Points

Synopsis:

Internet Security Systems (ISS) X-Force has discovered a vulnerability
in several 802.11b Access Point devices. This problem may reveal the
Wired Equivalent Privacy (WEP) key that is associated with the wired
network. The WEP key is part of an encryption technique that provides
secure data transmissions between wireless Access Points and PCs. The
WEP encryption key can be obtained via a Simple Network Management
Protocol (SNMP) query sent to the Access Point from a computer on the
wired network. It is possible for an attacker to gain access to the WEP
encryption key from the wired side, and then decrypt traffic on the
wireless network. This attack is only possible if the Access Point is
attacked from a wired network.

Affected Products and Releases:

X-Force confirmed the following products are vulnerable:

3Com AirConnect Model Number AP-4111
Symbol 41X1 Access Point Series 

Symbol Technologies Inc. provides 802.11b Access Point technology to
several vendors under Original Equipment Manufacturer (OEM) agreements.
These devices are branded and sold as distinct products. ISS X-Force has
not tested all potentially vulnerable products. ISS X-Force recommends
referring to the following URL for information about additional
potentially vulnerable devices:

http://www.symbol.com/products/wireless/wireless_alliances_and_partner.html

Description:

The WEP encryption key is used to provide wireless clients with
confidentiality and authentication in an IEEE 802.11b (a standard for
wireless transmissions) environment. The IEEE 802.11b standard
Management Information Base (MIB) includes the definition for
dot11WEPDefaultKeyValue in the dot11WEPDefaultKeysTable, and explicitly
states that, "The WEP default secret keys are logically WRITE-ONLY.
Attempts to read the entries in this table shall return unsuccessful
status and values of null or zero." 

All affected Access Points support the IEEE 802.11b MIB and the 
vendor-specific MIB. The Symbol SNMP agent reveals the WEP encryption
key in response to a valid wired-side SNMP query for the following:

1. IEEE 802.11b MIB: dot11WEPDefaultKeyValue in the dot11WEPDefaultKeysTable
2. Symbol MIB: ap128bWepKeyValue in the ap128bWEPKeyTable

The current implementation of the Symbol SNMP agent presents a standard
compliance issue. More importantly, the privacy of wireless clients may
not be protected, and as a result, the authentication mechanism may not
be reliable.

Recommendations:

Symbol Technologies has made a firmware update available to address the
problems documented in this advisory. Contact your vendor for information
about this update and its availability.

3Com Corporation will make the firmware update available on their Web site:
http://www.3Com.com

This vulnerability is closely related to how manufacturers comply with
IEEE 802.11b standards. It is possible that additional Access Points
from other vendors may be vulnerable to the problems described in this
advisory. ISS X-Force recommends that all Access Point users check for
the existence of this vulnerability.

ISS RealSecure and ISS Internet Scanner have been upgraded with the most
comprehensive 802.11b wireless vulnerability and threat detection
available. The upcoming Wireless X-Press Updates will provide extensive
coverage for major security issues found in many popular Access Points.
ISS X-Force recommends upgrading to the latest X-Press Updates when they
become available.

ISS Consulting and Managed Security Services (MSS) can provide a variety
of wireless security offerings including security health checks,
wireless security policy, wireless architecture design, and managed
wireless network protection. 

ISS SecureU is offering educational courses on 802.11 wireless security.  

Please refer to the following URL for more information:
http://www.iss.net/wireless

Additional Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned the
Name CAN-2001-0352 to this issue. This is a candidate for inclusion in
the CVE list http://cve.mitre.org, which standardizes names for security
problems.

Credits:

This vulnerability was discovered and researched by Kevin Chou of the
ISS X-Force. Internet Security Systems would like to thank Symbol 
Technologies and 3Com Corporation for their response and handling of
this vulnerability.

______

About Internet Security Systems (ISS) 

Internet Security Systems is the leading global provider of security 
management solutions for the Internet, protecting digital assets and 
ensuring safe and uninterrupted e-business. With its industry-leading 
intrusion detection and vulnerability assessment, remote managed 
security services, and strategic consulting and education offerings, ISS
is a trusted security provider to more than 8,000 customers worldwide
including 21 of the 25 largest U.S. commercial banks and the top 10 U.S. 
telecommunications companies. Founded in 1994, ISS is headquartered in 
Atlanta, GA, with additional offices throughout North America and 
international operations in Asia, Australia, Europe, Latin America and
the Middle East. For more information, visit the Internet Security 
Systems web site at www.iss.net or call 888-901-7477.


Copyright (c) 2001 Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part of
this Alert in any other medium excluding electronic medium, please
e-mail xforce () iss net for permission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in 
connection with the use or spread of this information. Any use of this
information is at the user's own risk.


X-Force PGP Key available at: http://xforce.iss.net/sensitive.php
as well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force
xforce () iss net of Internet Security Systems, Inc.