- Cisco Warns of Vulnerabilities in Wireless LAN Controllers by Mike Lennon Managing Editor at Security Week
- Cisco Wireless LAN Controllers Wireless Intrusion Prevention System Denial of Service Vulnerability via Cisco Vulnerability Alert
Recall “Skyjacking” vulnerability discovered with Cisco LAPs couple of years ago? It allowed hacker to transfer control of enterprise Cisco LAPs from enterprise WLC to hacker controlled WLC in the Internet with over-the-air attack. Once control is transferred, the hacker could change configuration on those LAPs in any way by adding, deleting and modifying SSIDs. The hacker could also tamper with Cisco monitor mode APs and take away the security layer. Cisco Skyjacking exploited vulnerability in Cisco’s over-the-air controller discovery protocol. Know more about it here.
Now a similar vulnerability seems to have been discovered in Aruba OS and AirWave console. The advisory states: “[a]n attacker could plant an AP with maliciously crafted SSID in the general vicinity of the wireless LAN and might trigger a XSS vulnerability in reporting section of the ArubaOS and AirWave WebUIs. This vulnerability could potentially be used to execute commands on the controller with admin credentials.” Though modus operandi is different from Cisco, the end result is similar – transferring the control of Wi-Fi controller to hacker by launching over-the-air attack.
No system is free from vulnerabilities and such things will continue to be discovered. But, you don’t have to give away “hack one, get one free”. You don’t have to give hackers control of Wi-Fi coverage and Wi-Fi security in a single shot. This can be achieved by ensuring that the Wi-Fi security layer operates independent of Wi-Fi infrastrucutre. Read more…
Security is hard to get right and shortcuts — be it coding shortcuts or design shortcuts – come back and haunt the product designers when the rubber hits the road.
The recently discovered “skyjacking” vulnerability of the Cisco LAPs seems to be a classic example. The “Over The Air Provisioning” (OTAP) feature allows an out-of-the-box Cisco LAP to automatically discover available WLC controllers to connect to by listening to wireless OTAP packets broadcast by neighboring Cisco LAPs. This feature obviously has attractive plug-and-play benefits for the end user but has also resulted in some critical security holes in the Cisco wireless infrastructure as reported recently. Malicious OTAP packets transmitted by an intruder can make a LAP connect to a “rogue” WLC controller on the Internet. This controller can modify the wireless settings of the AP in devious ways resulting in an AP that is in your airspace, connected to your wired network but completely controlled by an attacker.
Many security vulnerabilities are due to coding bugs (for example, inadequate input checking or the infamous buffer overflows). In contrast, the skyjacking vulnerability has its root, in my opinion, in two questionable design decisions that were probably made as early as the requirements definition stage.
This latest vulnerability on Cisco WLAN (AP Skyjacking) points out the importance for customers to deploy overlay WIPS to have a zero day response capabilities in place. Making changes to your WLAN controller, APs, and firewalls takes time and new vulnerabilities like this will continue to surface.
A dangerous exploit that can be carried out using this vulnerability is for a hacker to route an enterprise customer’s Cisco AP to WLC deployed out in the Internet and change the Guest SSID to map to an internal enterprise VLAN (using REAP mode supported on Cisco APs); see below for Pravin’s comments.
AirTight is the only WIPS vendor who can detect this dangerous exploit (i.e. Guest SSID mapped to incorrect VLAN) and prevent this scenario. Using AirTight WIPS, you can map WLAN SSID-to-VLAN security policy (i.e. wireless-to-wired security policy mapping) thus allowing you to detect this misconfiguration and prevent a hacker from exploiting this. Using Cisco WLC+WCS+MSE or other third-party WIDS/WIPS, this scenario will go undetected for sometime thus allowing the hacker access into the customer’s enterprise network.
Customers should pay immediate attention to this vulnerability and change their default settings on their Cisco APs (i.e. out of the box configuration) and put zero day response strategy for vulnerabilities like this in the future.
Skyjacking vulnerability which allows Cisco LAP to be diverted to connect to rogue controller by manipulating OTAP could be more dangerous than what has been clarified by Cisco in its advisory. The advisory says that “An exploit could prevent the device from functioning properly, resulting in a DoS condition. There is no risk of data loss or interception by the rogue access point or Wireless LAN Controller.”
As a matter of fact, it should be possible to convert Authorized Cisco LAP into a wired rogue AP using skyjacking. After Cisco LAP is trapped into skyjacking (for example, made to connect to a controller hosted on the net), it is possible to convert it to Cisco REAP mode and make it bridge traffic locally between Enterprise wired subnet and wireless.
Just a thought – won’t blocking LWAPP discovery port on enterprise firewall protect you from this threat?
Stay tuned for more updates as we dig deeper into this.