Next Page >>
Access Point
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02544568
Version: 1
HPSBGN02589 SSRT100296 rev.1 - HP ProCurve Access Points, Access Controllers, and Mobility Controllers, Privilege Escalation
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-10-13
Last Updated: 2010-10-13
by many wireless ISPs around the world to provide internet and private
office services to hard-to-reach customers.
Currently there is a flaw in the authentication mechanism of these radios
which, if an attacker knows some details, can allow interception of
ethernet packets broadcast from the Access Point to the Subscriber Unit
and potentially allows injection into the communication from the Subscriber Unit
to the Access Point.
There are two parts to the 5830 series radio system, an Access Point, and
a Subscriber Unit. Access Points are generally deployed at a radio tower
------
* Marvell Driver EAPoL-Key Length Overflow
Summary:
--------
* The wireless drivers in some Wi-Fi access points (such as the
MARVELL-based Netgear WN802T) do not correctly parse malformed EAPoL-Key
packets. This packet is used for unicast/multicast key derivation (which
are called 4-way handshake and group key handshake) of any secure
wireless connection (WPA-PSK, WPA2-PSK, WPA-EAP, WPA2-EAP).
Hash: SHA1
Aruba Networks Security Advisory
Title: Malformed 802.11 Association Request frame causes Denial of
Service condition on an Access Point.
Aruba Advisory ID: AID-102609
Revision: 1.0
For Public Release on 10/26/2009
opportunity to redirect the admin password to his own site by
overwriting the login form's action attribute.
The payload gets returned within the login page's 'title' tag. i.e.:
<title>3Com Wireless 8760 Dual Radio 11a/b/g Access Point
PAYLOAD_GOES_HERE</title>
Example of snmpset command that changes the AP's system name:
snmpset -v2c -c private 192.168.1.1 sysName.0 s "PAYLOAD_GOES_HERE"
------
* Atheros Driver Reserved Frame Vulnerability
Summary:
--------
* The wireless driver in some Wi-Fi access points (such as the
ATHEROS-based Netgear WNDAP330) do not correctly parse malformed
reserved management frames.
Assigned CVE:
-------------
Advisory # 1:
TITLE
Malformed 802.11 Probe Request frame causes Denial of Service condition
on an Access Point.
SUMMARY
A Denial of Service (DoS) vulnerability was discovered during standard
bug reporting procedures. A malformed 802.11 probe request frame causes
Introduction
============
The Linksys Wireless-G Broadband Router is really three devices in one box. First, there's the Wireless Access Point, which lets you connect both screaming fast Wireless-G (802.11g at 54Mbps) and Wireless-B (802.11b at 11Mbps) devices to the network. There's also a built-in 4-port full-duplex 10/100 Switch to connect your wired-Ethernet devices together. Connect four PCs directly, or attach more hubs and switches to create as big a network as you need. Finally, the Router function ties it all together and lets your whole network share a high-speed cable or DSL Internet connection.
Security Risk
=============
Linksys WRT54GL is prone to an authentication-bypass vulnerability. Reportedly, the device permits changes in its configuration settings without requring authentication (CSRF).
http://www.securenetwork.it/ricerca/advisory/download/SN-2010-08.txt
*** SUMMARY ***
Linksys WAP610N is a SOHO wireless access point supporting 802.11n draft.
Unauthenticated remote textual administration console has been found that
allow an attacker to run system command as root user.
>
> ============
>
>
>
> The Linksys Wireless-G Broadband Router is really three devices in one box. First, there's the Wireless Access Point, which lets you connect both screaming fast Wireless-G (802.11g at 54Mbps) and Wireless-B (802.11b at 11Mbps) devices to the network. There's also a built-in 4-port full-duplex 10/100 Switch to connect your wired-Ethernet devices together. Connect four PCs directly, or attach more hubs and switches to create as big a network as you need. Finally, the Router function ties it all together and lets your whole network share a high-speed cable or DSL Internet connection.
>
>
>
>
>
Vulnerability present also on firmware ver.3.04.03 (US)
Other models and/or firmware versions may be also affected.
Background Information:
Linksys WAP54G is a wireless access points that allow wireless clients
connectivity to wired networks.
Supported 802.11b and 802.11g protocols, with data rates up to 54Mbit/s.
Summary:
>
> ============
>
>
>
> The Linksys Wireless-G Broadband Router is really three devices in one box. First, there's the Wireless Access Point, which lets you connect both screaming fast Wireless-G (802.11g at 54Mbps) and Wireless-B (802.11b at 11Mbps) devices to the network. There's also a built-in 4-port full-duplex 10/100 Switch to connect your wired-Ethernet devices together. Connect four PCs directly, or attach more hubs and switches to create as big a network as you need. Finally, the Router function ties it all together and lets your whole network share a high-speed cable or DSL Internet connection.
>
>
>
>
>
Advisory # 1:
TITLE
OS Command Injection Vulnerability in Aruba Remote Access Point
Diagnostic Web Interface.
SUMMARY
An OS command injection vulnerability has been discovered in the Aruba
> http://www.securenetwork.it/ricerca/advisory/download/SN-2010-08.txt
>
>
> *** SUMMARY ***
>
> Linksys WAP610N is a SOHO wireless access point supporting 802.11n draft.
>
> Unauthenticated remote textual administration console has been found that
> allow an attacker to run system command as root user.
>
>
Secure Network - Security Research Advisory
Vuln name: HTTP Basic Authentication Bypass
Systems affected: Boa/0.93.15 (with Intersil Extensions) based systems (i.e. FreeLan 802.11g Wireless Access Point (RO80211G-AP))
Severity: High
Local/Remote: Remote
Vendor URL: http://www.boa.org - http://isl3893.sourceforge.net - http://www.roper-europe.com
Author(s): Luca "ikki" Carettoni - luca.carettoni@securenetwork.it, Claudio "paper" Merloni - claudio.merloni@securenetwork.it
Vendor disclosure: 24th August 2007
Vendor acknowledged: -
Digital Defense, Inc. Vulnerability Research Team
Credit: r@b13$
Vulnerability Description
-------------------------
Multiple Cybele Software, Inc. products are vulnerable to arbitrary file retrieval and directory traversal vulnerabilities including ThinVNC, ThinRDP, and ThinVNC Access Point 2.0. An unauthenticated remote attacker can submit requests for files that are located outside the root of the web server that is distributed with these Cybele Software, Inc. products.
Solution Description
--------------------
Cybele Software, Inc. has released a patch for the vulnerability which is available for download from the http://www.thinvnc.com/ website.
Cisco WLCs and Cisco WiSMs are responsible for system-wide wireless
LAN functions, such as security policies, intrusion prevention, RF
management, quality of service (QoS), and mobility.
These devices communicate with controller-based access points over
any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the
Lightweight Access Point Protocol (LWAPP) and the Control and
Provisioning of Wireless Access Points (CAPWAP) protocol.
The Cisco WLC family of devices is affected by 2 denial of service
"AMG-2000 is an AP Management Gateway dedicatedly designed for small to
medium-sized network deployment and management, making it an ideal solution
for easily creating and extending WLANs in SMB offices. With its user
management features, administrators will be able to manage the whole process
of wireless network access. In addition, Access Point (AP) management
functions allow administrators to discover, configure, update, and monitor all
managed APs from a single secured interface, and from there, gain full control
of entire wireless network."
> that one opened Session is enough between the user and web
> administration , and other users can also access to the web
> administration interface.
>
> Malicious user can wait until ones logins to the interface and then he
> can access and administer 3Com Wireless8760 Access Point without
> further authentication. Among different operations the malicious user
> can cause to Denial of Service (Dos) attack to the entire network by
> changing the configuration such as IP addresses.
>
> FYI
that one opened Session is enough between the user and web
administration , and other users can also access to the web
administration interface.
Malicious user can wait until ones logins to the interface and then he
can access and administer 3Com Wireless8760 Access Point without
further authentication. Among different operations the malicious user
can cause to Denial of Service (Dos) attack to the entire network by
changing the configuration such as IP addresses.
FYI
------
* Marvell Driver Multiple Information Element Overflows
Summary:
--------
* The wireless drivers in some Wi-Fi access points (such as the
MARVELL-based Linksys WAP4400N) do not correctly parse information
elements included in association requests. Most information elements are
used by the wireless access point and clients to advertise their
capabilities (regarding rates, network name, cryptographic capabilities...).
-----Original Message-----
From: Paul [mailto:paul14075@gmail.com]
Sent: Sunday, September 28, 2008 6:03 PM
To: wifisec@securityfocus.com; bugtraq@securityfocus.com
Subject: Verizon FIOS (and DSL?) wireless access point insecure default
WEP key
By default, the 40-bit WEP key for the wireless router provided by
Verizon to FiOS (fiber optic) and possibly DSL customers is set to the
last 40 bits of the router's 48-bit MAC address. This is significant
II. BACKGROUND
-------------------------
The CT-536 is an 802.11g (54Mbps) wireless and wired Local Area
Network (WLAN) ADSL router. Four 10/100 Base-T Ethernet and single USB
ports provide wired LAN connectivity with an integrated 802.11g WiFi
WLAN Access Point (AP) for wireless connectivity. The CT-536 ADSL
router provides state of the art security features such as WPA data
encryption; Firewall, VPN pass through.
III. DESCRIPTION
-------------------------
------
* Marvell Driver Null SSID Association Request Vulnerability
Summary:
------
* The wireless drivers in some Wi-Fi access points (such as the
MARVELL-based Netgear WN802T) do not correctly parse SSID information
element included in association requests. Most information elements are
used by the wireless access point and clients to advertise their
capabilities (regarding rates, network name, cryptographic
capabilities...). More precisely, the SSID is used by the access point
The SSID has been changed from its true values to protect the identity and anonymity of the victim.
==================================================
NOTES
==================================================
The WeFi client continues to keep the WEP keys long after the client has authenticated with the wireless access point. The first network that the client authenticates with is around 044296C0 and further wireless keys can be found after that offset. All wireless keys are accompanied with their respectable SSID shortly after the key.
==================================================
SOLUTION
==================================================
Do not keep the wireless encryption keys in the program and disallow the client to "Remember Key".
------
* Atheros Vendor Specific Information Element Overflow
Summary:
--------
* The wireless drivers in some Wi-Fi access points (such as the
ATHEROS-based Linksys WRT350N) do not correctly parse the Atheros vendor
specific information element included in association requests. This
information element is used by wireless devices to advertise Atheros
specific capabilities.
You are not wrong. However, in this case, the point is to capture "WPA
handshake"(not WPA key) in order to brute-force for WPA key. This attack
allows an attacker to capture your "WPA handshake" even though the
legitimate access point is not there. The attacker could create a fake
access point to steal "WPA handshake"(from a client) when you attend
conferences. This attack would not work with iPhone, iPad or other PCs
with Windows OS because they would discard fake probe response at the
first place.
To successfully exploit this vulnerability an attacker must be able to
somehow position themself such that they can impersonate a Cygwin mirror.
As a proof-of-concept the local hosts file was modified but an attack
that occurs in the wild can be accomplished through DNS cache
poisoning, ARP redirection, TCP hijacking, impersonation of a Wi-Fi
Access Point, etc. The attacker also would have configured a rogue web
server to push out package code of their choosing. The success of
attacks that utilize the DNS cache poisoning approach has recently been
compounded by Kaminsky's birthday paradox technique (CVE-2008-1447.)
For testing purposes, gzip was used as the malicious package although
I have found Android device's behavior which I deem it is inappropriate.
I am not sure if it can be classified as a vulnerability. The problem
appears when an Android device have connected to hidden SSID wireless
networks. The default behavior of most OSes is to shout out to see if
there is an expected hidden SSID over there. A legitimate access point
would reply with a probe response. However, a rouge access point could
also reply with a fake probe response and continue further negotiation
until it captures WPA handshake. Android devices will automatically and
gratefully accept the fake response while other OSes, including Windows,
iOS, prevent this attack by checking BSSID (MAC address) in the probe
Cisco WLCs and Cisco WiSMs are responsible for system-wide wireless
LAN functions, such as security policies, intrusion prevention, RF
management, quality of service (QoS), and mobility.
These devices communicate with controller-based access points over any
Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the
Lightweight Access Point Protocol (LWAPP) and the Control and
Provisioning of Wireless Access Points (CAPWAP) protocol.
The Cisco WLC family of devices is affected by the following
Next Page>>
|
