OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Bill Arbaugh (waaCS.UMD.EDU)
Date: Mon Apr 02 2001 - 19:35:05 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Name: Lucent/Orinoco Closed Network design flaw

    Products: Most access points based on Orinoco wireless cards.

    Severity: An attacker can determine the network name, or SSID,
                    which controls access to the network. Knowledge of the
                    SSID permits a client to associate/join the
                    network. If WEP is not enabled, the attacker gains
                    unrestricted access to the network immediately.

    Author: William A. Arbaugh
                    waacs.umd.edu
                    http://www.cs.umd.edu/~waa

    Vendor Status: Vendor informed of the problem on April 1, 2001 via
                    electronic mail. Vendor responded that this is just
                    "one little hurdle .." to gaining access on April 2,
                    2001 via electronic mail.

    Details:
                    Lucent has defined a proprietary access control
                    mechanism entitled Closed Network [1]. With this
                    mechanism, a network manager can use either an open or
                    a closed network. In an open network, anyone is
                    permitted to join the network. In a closed network,
                    only those clients with knowledge of the network name,
                    or SSID, can join. In essence, the network name acts
                    as a shared secret. Claims are made in [1] that a
                    Closed Network prevents unauthorized users from
                    accessing the network.

                    In practice, security mechanisms based on a shared
                    secret are robust provided the secrets are
                    well-protected in use and when
                    distributed. Unfortunately, this is not the case with
                    Lucent's proprietary access control mechanism. Several
                    802.11 management messages contain the network name,
                    or SSID, and these messages are broadcast in the clear
                    by access points and clients. The actual message
                    containing the SSID depends on the vendor and model of
                    the access point. The end result, however, is that an
                    attacker can easily sniff the network name-
                    determining the shared secret and gaining immediate
                    access to the ``protected'' network if WEP is not
                    enabled. Even with WEP enabled, however, the attacker
                    could utilize previously disclosed WEP flaws [2,3] to
                    gain access by forging packets.

                    A description of this flaw and others contained in
                    802.11 are described in [4].

    References:

                    [1] Lucent Orinoco, User's Guide for the ORiNOCO
                        Manager's Suite, November 2000.

                    [2] J. Walker, "Unsafe at any key size: An analysis of
                    the WEP encapsulation", Tech Rep. 03628E, IEEE 802.11
                    committee, March 2000.
                    http://grouper.ieee.org/groups/802/11/Documents/DocumentHolder/0-362.zip.

                    [3] N. Borisov, I. Goldberg, and D. Wagner,
                    Intercepting Mobile Communications: The Insecurity of
                    802.11. http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html

                    [4] W. Arbaugh, N. Shankar, and Y. Wan, Your 802.11
                    Wireless Network has No Clothes.
                    http://www.cs.umd.edu/~waa/wireless.pdf