OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Cisco Systems Product Security Incident Response Team (psirtcisco.com)
Date: Wed Mar 07 2001 - 11:25:19 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----

    Cisco Security Advisory: Access to the Cisco Aironet 340 Series Wireless Bridge
                                   via Web Interface
                                           
    Revision 1.0

      For Public Release 2001 March 07 08:00 (GMT -0800)
         _________________________________________________________________
       
    Summary

       It is possible to view and modify the bridge's configuration via Web
       interface even when Web access is disabled in the configuration. This
       defect is documented as Cisco bug ID CSCdt52783. This defect is
       present in the following hardware models:
         * Aironet AP4500,
         * Aironet AP4800,
         * Aironet BR100,
         * Aironet BR500,
         * Cisco Aironet AIR-BR340
           
       The firmware release 8.55 is the first image which contains the fix.
       All previous firmware releases for listed devices are vulnerable. No
       other Aironet/Cisco Aironet wireless product is affect by this
       vulnerability. This advisory is available at the
       http://www.cisco.com/warp/public/707/Aironet340-pub.shtml.
       
    Affected Products

       The following hardware models are affected:
         * Aironet AP4500,
         * Aironet AP4800,
         * Aironet BR100,
         * Aironet BR500,
         * Cisco Aironet AIR-BR340
           
       They are vulnerable to this defect if they are running any of the
       following firmware releases:
         * 7.X
         * 8.07
         * 8.24
           
       The release 8.55 is the first release where this vulnerability is
       fixed. No other Aironet/Cisco Aironet wireless products are affected
       by this defect.
       
    Details

       It is possible to view and modify the bridge's configuration, using
       Web interface, despite it being explicitly disabled. This
       vulnerability is exploitable over the wired and wireless link alike.
       
    Impact

       An attacker is able to modify the bridge's configuration. It is
       necessary for an attacker to obtain connectivity to the bridge. That
       can be done either using wired or wireless Ethernet interface.
       
    Software Versions and Fixes

       This defect is fixed in the release 8.55 of the software.
       
    Obtaining Fixed Software

       Cisco is offering free software upgrades to eliminate this
       vulnerability for all affected customers.
       
       Customers with contracts should obtain upgraded software through their
       regular update channels. For most customers, this means that upgrades
       should be obtained via the Software Center on Cisco's Worldwide Web
       site at http://www.cisco.com. Please do not contact either
       "psirtcisco.com" or "security-alertcisco.com" for software upgrades.
       
    Workarounds

       There is no workaround if an attack is coming from wired Ethernet
       interface.
       
       To mitigate this vulnerability if an attack is coming over the
       wireless link the following actions may be taken:
         * Change SSID to non guessable value.
         * Turn on WEP encryption if possible.
         * On bridges (BR100, BR500 and AIR-BR340) turn off access point
           mode. That will disallow direct access to the bridge by any
           client.
           
       For the instruction on how to perform these operations on the Cisco
       Aironet 340 Series Wireless Bridge, please see:
       http://www.cisco.com/univercd/cc/td/doc/product/wireless/aironet/br
       idge/brdgqs.htm
       
       For more detailed description please consult "Using the Cisco Aironet
       340 Series Wireless Bridges", which can be found at:
       http://www.cisco.com/univercd/cc/td/doc/product/wireless/aironet/br
       idge/ebridge.pdf Information on SSID and other basic settings is on
       page 4-3. Information on bridge mode vs AP mode is on page 4-17.
       
    Exploitation and Public Announcements

       The Cisco PSIRT is not aware of any public announcements or malicious
       use of the vulnerabilities described in this advisory. This
       vulnerability was discovered by a customer.
       
    Status of This Notice: FINAL

       This is a final notice. Although Cisco cannot guarantee the accuracy
       of all statements in this notice, all of the facts have been checked
       to the best of our ability. Cisco does not anticipate issuing updated
       versions of this notice unless there is some material change in the
       facts. Should there be a significant change in the facts, Cisco may
       update this notice.
       
    Distribution

       This notice will be posted on Cisco's Worldwide Web site at
       http://www.cisco.com/warp/public/707/Aironet340-pub.shtml. In
       addition to Worldwide Web posting, a text version of this notice is
       clear-signed with the Cisco PSIRT PGP key and is posted to the
       following e-mail and Usenet news recipients:
         * cust-security-announcecisco.com
         * bugtraqsecurityfocus.com
         * first-teamsfirst.org (includes CERT/CC)
         * ciscospot.colorado.edu
         * comp.dcom.sys.cisco
         * firewallslists.gnac.com
         * Various internal Cisco mailing lists
           
       Future updates of this notice, if any, will be placed on Cisco's
       Worldwide Web server, but may or may not be actively announced on
       mailing lists or newsgroups. Users concerned about this problem are
       encouraged to check the URL given above for any updates.
       
    Revision History

       Revision 1.0 2001-March-07 08:00 GMT-0800 Initial public release
       
    Cisco Security Procedures

       Complete information on reporting security vulnerabilities in Cisco
       products, obtaining assistance with security incidents, and
       registering to receive security information from Cisco, is available
       on Cisco's Worldwide Web site at
       http://www.cisco.com/warp/public/707/sec_incident_response.shtml.
       This includes instructions for press inquiries regarding Cisco
       security notices.
         _________________________________________________________________
       
       This notice is Copyright 2001 by Cisco Systems, Inc. This notice may
       be redistributed freely after the release date given at the top of the
       text, provided that redistributed copies are complete and unmodified,
       and include all date and version information.
         _________________________________________________________________
       
       
       All contents are Copyright © 1992--2001 Cisco Systems Inc. All rights
       reserved.

    -----BEGIN PGP SIGNATURE-----
    Version: 2.6.2

    iQEVAwUBOqZnU2iN3BRdFxkbAQGrWQgAi0yNI2MNmv7E1J/M/vdnRhLN2PBBw3uw
    j/E/R72PP53XiOS4QA6bUO9ReJSbDesnzcCKwwUO2sjDNWEaqglqL2CKn7p1lCcO
    fO3lvznv29hJNbPrxrBFBOFJS0si9zbOlFJ2mNef8LL7WgpamObbNWTBqZ6rwptZ
    thJGMLWnbv/8skKYBNMJTcixQ7/rOz30va9RMJt4HsnbmRG3bIICmvQbuQCVBb9I
    8ZkKLWB2H7D0uO2qiYX8i27UE8xOVDF/G+B00M/fMmMpFbAT6dspemmt+1rDX+A0
    Ljb8heEpnPlwhk3+TDcECGqUFjsMIFp5f5aQkIJ1O1xjaDNPtz95XA==
    =DNwd
    -----END PGP SIGNATURE-----