AirMagnet reports Cisco AP vulnerability

Unanswered Question
Aug 25th, 2009

Whether or not you have OTAP enabled, this looks interesting.

Does anyone know what AirMagnet is talking about with respect to the frames mentioned in "The Exposure"?

http://www.airmagnet.com/news/press_releases/2009/08252009.php

The Exposure

In normal operation, Cisco APs generate an unencrypted multicast data frame that travels over the air and includes a variety of information in the clear. From these frames a hacker listening to the airwaves could determine the MAC address of the wireless controller that the AP is connected to, the IP address for that controller, and a variety of AP configuration options. These frames are always unencrypted regardless of the encryption scheme used in the network, and are always sent regardless of whether the OTAP feature is turned on or not. At the very least, this allows anyone listening to the network to easily find the internal addresses of the wireless LAN controllers in the network, and potentially target them for attack. All lightweight Cisco deployments are subject to this exposure.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
efgarciap Wed, 08/26/2009 - 06:58

Hi,

I read that article as well and I have been doing some research to determine what the real impact of that “vulnerability” is.

According to Cisco documentation, APs won't run OTAP if they have the recovery IOS image. This is the case for new out-of-the-box APs and autonomous-to-lightweight converted APs.

http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a008093d74a.shtml

This is an extract of the article:

“LAPs support OTAP only when they have a full LWAPP Cisco IOS image. OTAP is not supported by the LWAPP Recovery Cisco IOS image. The LWAPP Recovery Image is shipped from the factory and loaded by the upgrade tool. The recovery images (cXXXX-rcvk9w8-mx), shipped with new out-of-the-box LAPs, do not contain any radio firmware and do not bring up any radio interfaces during the boot process. Hence OTAP does not work with out-of-the-box LAPs. The exceptions are out-of-the-box 1510s and 1520 APs, which have a full image installed in flash”

On subsequent reboots, the access points will go through the complete discovery process which includes OTAP discovery. However, since the list of controllers is already in the APs' configuration, they will attempt to register with these controllers first.

This document describes in detail the process:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a00806c9e51.shtml

Now, what happens if for any reason, the configured controllers are not available?

Will APs be on risk of joining an outside controller wirelessly?

I read also that OTAP cannot be disabled on APs discovery process, if this is the case, even if OTAP is disabled on controllers, APs are still “vulnerable”, right?

Does Cisco have an official response to this vulnerability?

Robert.N.Barrett_2 Wed, 08/26/2009 - 14:45

As soon as they join a controller they'll get an image that supports OTAP.

According to the excellent video at the link below, OTAP uses RRM packets. However, the video states that the RRM packet will only contain the controller IP address if OTAP is enabled. Therefore, I would only enable OTAP when deploying new AP's (and only if the AP's had no other way of discovering a controller). Turn of OTAP when you are not adding AP's to the network. I have a small capture from my network where OTAP is turned off (RRM is off, too - go figure). Only one RRM paacket was captured, so I can't be 100% certain, but the IP address of my controller was not in the packet. I'll be doing some more captures to check.

http://www.youtube.com/watch?v=dZHiY_1p_d0

Robert.N.Barrett_2 Thu, 08/27/2009 - 20:50

In my tests using a controller running 4.2.176.0 code and a 1242 AP, the RRM packets contain the MAC and IP address of my controller even when I have RRM and OTAP disabled.

Leo Laohoo Sun, 08/30/2009 - 18:33

Cisco has sent out a "security alert" (dated 25 August 2009) regarding this issue.

Cisco Lightweight Access Point Over-the-Air Provisioning Manipulation Vulnerability

http://tools.cisco.com/security/center/viewAlert.x?alertId=18919

Bug ID CSCtb56664

Until someone can confirm the accuracy of both, I am apprehensive about "Cisco Lightweight Wireless Access Point 1100 and 1200 Series devices are affected by this vulnerability.

No other Cisco devices are known to be affected."

But if you look at the bottom of the page, affected models are 1100, 1130, 1130AG, 1131, 1140, 1200, 1230, 1230AG, 1240, 1240AG, 1250 AP's.

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode