TECHNICAL BULLETIN
TECHNICAL BULLETIN
| PROBLEM: | Cisco Lightweight Access Points contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. |
| PLATFORM: | Cisco Lightweight Wireless Access Point 1100 and 1200 Series |
| ABSTRACT: | When the Cisco Over-the-Air-Provisioning (OTAP) feature is enabled, a remote user can inject remote radio management (RRM) packets to cause a non-configured AP that is starting up to connect to an arbitrary wireless controller. |
| LINKS: | |
| DOE-CIRC BULLETIN: | http://www.doecirc.energy.gov/bulletins/t-218.shtml |
| OTHER LINKS: |
Security Tracker Website http://www.securitytracker.com/alerts/2009/Aug/1022774.html Cisco Website http://tools.cisco.com/security/center/viewAlert.x?alertId=18919 |
| CVE: |
CVE-2009-2861 |
| IMPACT ASSESSMENT: | This risk is low. An unauthenticated, remote attacker could exploit this vulnerability to manipulate lightweight access point association communications, causing a vulnerable device to become associated to a malicious Wireless LAN Controller. An exploit could prevent the device from functioning properly, resulting in a DoS condition. |
[***** Start CVE-2009-2861 *****] Discussion: Cisco Lightweight Access Points contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to insufficient security protections during wireless access point association sequences. An unauthenticated, remote attacker could exploit this vulnerability by injecting malicious packets into the wireless network where newly added access points are seeking controllers. This action could allow the attacker to cause the device to associate to a rogue controller, preventing the device from servicing network clients. An exploit could result in a DoS condition. The vulnerability is due to insufficient security protections during wireless access point association sequences. At startup, lightweight wireless access points without a configuration use over-the-air provisioning (OTAP) to seek out and associate with a Cisco Wireless LAN Controller. Administrators may configure access points with a preferred controller list that will bypass the OTAP provisioning process. LSCs can be provisioned on Cisco access points and Wireless LAN Controllers and are used to authenticate the access points to the Wireless LAN Controller and vice versa. LSCs provide an additional layer of security due to the certificate authentication that is required between the Cisco access point and Wireless LAN Controller. When Cisco access points are provisioned with LSCs, they will not register to a rogue Wireless LAN Controller because the access point will not be able to properly authenticate it. Devices without preconfigured controller lists or LSCs have no method of distinguishing valid controllers from malicious ones. An unauthenticated, remote attacker could exploit this vulnerability by injecting remote radio management (RRM) packets onto the wireless network while an unconfigured access point starts up. The injection of malicious RRM packets could manipulate the OTAP process to cause the device to associate to the attacker's controller. As a result, wireless clients that are associating to the rogue access point will be unable to access legitimate network resources, resulting in a DoS condition. Solution: Cisco has confirmed this vulnerability; however, software updates are not yet available. [***** End CVE-2009-2861 *****]
Voice: 866-941-2472
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov