Earlier yesterday morning, AirMagnet, a security vendor focused on security and compliance for wireless LANs, announced a discovery from their research team that could lead to exploitation of wireless infrastructures using Cisco equipment. The vulnerability centers on Cisco's Over-the-Air-Provisioning (OTAP) feature found in its wireless access points.
SkyJacking vulnerability discovered on Cisco APs.(IMG:Cisco)
The exploit, given the catchy name Skyjacking by AirMagnet, offers the potential to gain control of a Cisco Access Point (AP), intentionally or unintentionally, leading to access of the connected wireless LAN. It works because of Cisco’s OTAP feature found in its wireless APs.
“The Cisco OTAP feature allows a Cisco AP that is not connected to a Cisco controller to listen to traffic from other nearby Cisco APs and use that information to quickly locate a nearby WLAN controller to associate to,” AirMagnet explains.
It is during this process that two elements of the OTAP vulnerability emerge. One is the unintentional exposure of information in all lightweight Cisco APs (the 1100 and 1200 Series devices only). The other comes if the OTAP feature is enabled. If it is, then the potential for APs to be incorrectly assigned to an outside Cisco controller (aka SkyJacked), either by accident or at the direction of a potential hacker, is a serious reality.
In normal operation, Cisco APs generate an unencrypted multicast data frame that travels over the air and includes all sorts of information that is sent with no encryption, or in the clear. Using these frames, anyone, attacker or otherwise, listening to the airwaves could determine the MAC address of the wireless controller that the AP is connected to, the IP address for that controller, and a variety of AP configuration options.
It is important to note, AirMagnet mentions, that these frames are always unencrypted regardless of the encryption scheme used in the network, and are always sent regardless of whether the OTAP feature is turned on or not.
“At the very least, this allows anyone listening to the network to easily find the internal addresses of the wireless LAN controllers in the network, and potentially target them for attack. All lightweight Cisco deployments are subject to this exposure,” said AirMagnet in their advisory.
Unlike the vulnerability, the SkyJack exploit requires the actual OTAP feature to be enabled. If enabled, a newly deployed Cisco AP will listen to the multicast data frame to determine the address of its nearest controller.
“The potential exists for the Cisco AP to "hear" multicast traffic from a neighboring network and incorrectly connect to a neighbor or otherwise unapproved Cisco controller. This ultimately could lead to an enterprise's access point connecting outside of the company to an outside controller, and therefore being under outside control,” the advisory adds.
So should you worry if you use the 1100 or the 1200 series of lightweight APs from Cisco? Cisco said that if some basic best practices are followed, the attacks can be prevented.
“Administrators are advised to preconfigure access points with preferred controller lists,” Cisco said in an advisory on the SkyJacking issue.
In addition, administrators should employ LSCs (Locally Significant Certificates) to ensure access points associate only with authorized controllers, as well as use the Infrastructure Rogue Discovery feature of Cisco Wireless LAN Controllers to identify incorrectly associated access points.
Still, if none of those features are enabled, then once an AP is connected to an unauthorized controller, or in the worst case scenario, an attacker, there is an entire set of problems to face, including the ability for said attacker to access the entire network, wireless and wired. Something Cisco makes no mention of.
“Someone being able to drill into your wired network is much more concerning than users not being able to check e-mail,” said Wade Williamson, director of product management at AirMagnet, in an interview with IDG News.
It’s possible that Williamson was referring to the Cisco IntelliShield analysis which said that if the vulnerability was exploited, the attacker could not access the underlying RADIUS infrastructure, meaning that the “…rogue access point and Wireless LAN Controller cannot authenticate incoming users, preventing clients from associating to attacker-controlled access points. As a result, clients may not be able to access legitimate network resources, leading to a DoS condition.”
Cisco said they have confirmed the vulnerability, and that software updates are not yet available. AirMagnet alerted them to the discovery and has been working with them to resolve the issue.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Comment on this Story