Cisco warns of wireless security hole

[InfoSec News <isn () c4i org>]

http://www.nwfusion.com/news/2003/1203ciscowarns.html

By Paul Roberts
IDG News Service, 12/03/03

Cisco is warning customers using its Aironet wireless access points 
(AP) about a security vulnerability that could allow attackers to 
obtain keys used to secure communications on wireless networks. 

The vulnerability affects Aironet 1100, 1200 and 1400 series access 
points and could allow Wired Equivalent Privacy (WEP) keys to be sent 
as plain text over corporate networks that use an SNMP server and have 
a specific option enabled on the access point, Cisco said. 

SNMP is a network management protocol that allows companies to monitor 
the operation of network devices using a central server and software 
agents that track and report on the functioning of SNMP-compliant 
devices. 

To be vulnerable, organizations have to be using an affected Aironet 
model with the IOS software, have an SNMP server deployed, be using 
static WEP keys for encryption and have enabled an option on the AP 
called "snmp-server enable traps wlan-wep." That option is disabled by 
default on Aironet access points, Cisco said. 

SNMP "traps" are alerts that devices create when notable events occur. 
The wlan-wep trap notifies the SNMP server when events related to the 
WEP keys occur, such as a change in the key value or a reboot of the 
access point. Because of the security flaw, Aironet access points will 
also transmit the values of any static WEP keys being used on the 
network as clear text to the SNMP server in the trap message, Cisco 
said. 

An opportunistic attacker who could intercept the SNMP traffic would 
obtain any WEP key values stored on the vulnerable access point and be 
able to snoop on encrypted wireless communications on the network, the 
company said. 

Cisco issued a patch for vulnerable versions of the IOS software, 
12.2(13)JA1 and recommended that customers obtain and install the 
patch as soon as possible. 

Customers unable to get the patch can disable the "snmp-server enable 
traps wlan-wep" option or switch to another encryption method such as 
Extensible Authentication Protocol, which Aironet APs support, but 
which is not affected by the vulnerability, Cisco said. 

The disclosure of a security problem with WEP follows other 
high-visibility patches to the company's Aironet wireless products in 
recent months. 

In July, Cisco patched two holes in the Aironet 1100 series APs that 
could allow an attacker to disable an Aironet access point in a 
denial-of-service attack, or coax user account information out of the 
device. 

In August, the company also revealed that its Lightweight Extensible 
Authentication Protocol encryption was vulnerable to so-called 
"dictionary attacks," in which attackers use software programs to try 
to guess user names and passwords through successive login attempts. 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.