This latest vulnerability on Cisco WLAN (AP Skyjacking) points out the importance for customers to deploy overlay WIPS to have a zero day response capabilities in place. Making changes to your WLAN controller, APs, and firewalls takes time and new vulnerabilities like this will continue to surface. 

A dangerous exploit that can be carried out using this vulnerability is for a hacker to route an enterprise customer’s Cisco AP to WLC deployed out in the Internet and change the Guest SSID to map to an internal enterprise VLAN (using REAP mode supported on Cisco APs); see below for Pravin’s comments. 

AirTight is the only WIPS vendor who can detect this dangerous exploit (i.e. Guest SSID mapped to incorrect VLAN) and prevent this scenario.  Using AirTight WIPS, you can map WLAN SSID-to-VLAN security policy (i.e. wireless-to-wired security policy mapping)  thus allowing you to detect this misconfiguration and prevent a hacker from exploiting this. Using Cisco WLC+WCS+MSE or other third-party WIDS/WIPS, this scenario will go undetected for sometime thus allowing the hacker access into the customer’s enterprise network.  

Customers should pay immediate attention to this vulnerability and change their default settings on their Cisco APs (i.e. out of the box configuration) and put zero day response strategy for vulnerabilities like this in the future.

Sri Sundaralingam Best practices, Wireless security Cisco, Cisco WLAN Vulnerability, skyjacking

Skyjacking vulnerability which allows Cisco LAP to be diverted to connect to rogue controller by manipulating OTAP could be more dangerous than what has been clarified by Cisco in its advisory. The advisory says that “An exploit could prevent the device from functioning properly, resulting in a DoS condition. There is no risk of data loss or interception by the rogue access point or Wireless LAN Controller.”

As a matter of fact, it should be possible to convert Authorized Cisco LAP into a wired rogue AP using skyjacking. After Cisco LAP is trapped into skyjacking (for example, made to connect to a controller hosted on the net), it is possible to convert it to Cisco REAP mode and make it bridge traffic locally between Enterprise wired subnet and wireless.

Just a thought – won’t blocking LWAPP discovery port on enterprise firewall protect you from this threat?

Stay tuned for more updates as we dig deeper into this.

Pravin Bhagwat Best practices, Wireless security AirMagnet, Cisco, LAP, LWAPP, OTAP, Rogue, RRM, skyjacking