Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Newly Discovered Vulnerability Could Threaten Cisco Wireless LANs

Flaw in Cisco Over-The-Air-Provisioning could allow attackers to gain control of wireless access points, AirMagnet researchers say

A flaw in the provisioning system used by Cisco wireless LANs could allow attackers to collect data about users' wired networks or even gain access to WLAN-attached systems, researchers said today.

Researchers at AirMagnet's Intrusion Research Team say they have uncovered a security vulnerability in Cisco's Over-The-Air-Provisioning (OTAP), a feature that helps users deploy wireless access points (APs). The potential exploit -- which AirMagnet has dubbed SkyJack -- makes it possible for others to gain control of a Cisco AP, intentionally or unintentionally.

The Cisco OTAP feature allows a Cisco AP to "listen" to traffic from nearby Cisco APs and use that information to quickly locate a nearby WLAN controller on the network. However, this feature may cause unintentional exposure or leakage of network information in all lightweight Cisco APs, AirMagnet says.

If the OTAP feature is not turned off, it is possible for APs to be incorrectly assigned to an outside Cisco controller -- a.k.a. SkyJacked -- either by accident or at the direction of a potential hacker, AirMagnet says.

"We haven't seen any definite exploits yet, but the feature has been available for some time," says Wade Williamson, director of product management at AirMagnet. "We can envision a situation where an attacker could set up a rogue AP in an empty office near a bank, and collect data for a long period of time."

Under OTAP, Cisco APs generate an unencrypted multicast data frame that travels over the air and includes a variety of information in the clear, AirMagnet says. From these frames, a hacker listening to the airwaves could determine the MAC address of the wireless controller that the AP is connected to, the IP address for that controller, and a variety of AP configuration options. The hacker could even collect information on wired devices attached to the WLAN, Williamson says.

The Cisco OTAP frames are always unencrypted, regardless of the encryption scheme used in the network (e.g., WPA), and are always sent, regardless of whether the OTAP feature is turned on, AirMagnet says.

"At the very least, this allows anyone listening to the network to easily find the internal addresses of the wireless LAN controllers in the network and potentially target them for attack," AirMagnet says. All lightweight Cisco deployments are subject to this exposure.

If the OTAP feature is turned on, a newly deployed Cisco AP will listen to the multicast data frame to determine the address of its nearest controller, AirMagnet explains. This means that a Cisco AP may "hear" multicast traffic from a neighboring network and incorrectly connect to a neighbor or an unapproved Cisco controller.

This same mechanism could be exploited intentionally by a hacker to SkyJack APs and take control of an enterprise's access point, AirMagnet says. "You could gain access to the network over a semi-permanent connection and collect data over a long period of time," Williamson says.

AirMagnet has informed Cisco about this vulnerability and potential exploit, and Cisco is working on a fix, Williamson says. In the meantime, AirMagnet recommends that Cisco customers turn off the OTAP feature because it could actively put new sensors in danger of being SkyJacked.

The vulnerability also points up the advantages of having a wireless network monitoring system, such as AirMagnet's, Williamson says. "With wireless, you need to be able to detect activity on the edges of the network in ways that you didn't have to do with wired networks," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-28
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-35128. Reason: This candidate is a reservation duplicate of CVE-2020-35128. Notes: All CVE users should reference CVE-2020-35128 instead of this candidate. All references and descriptions in this candidate have been removed to preve...
PUBLISHED: 2021-01-28
A cross-site scripting (XSS) vulnerability in the assets component of Mautic before 3.2.4 allows remote attackers to inject executable JavaScript through the Referer header of asset downloads.
PUBLISHED: 2021-01-28
An issue was discovered on Accfly Wireless Security IR Camera 720P System with software versions v3.10.73 through v4.15.77. There is an unauthenticated stack-based buffer overflow in the function CNetClientManage::ServerIP_Proto_Set during incoming message handling.
PUBLISHED: 2021-01-28
An issue was discovered on Accfly Wireless Security IR Camera System 720P with software versions v3.10.73 through v4.15.77. There is an unauthenticated heap-based buffer overflow in the function CNetClientTalk::OprMsg during incoming message handling.
PUBLISHED: 2021-01-28
An issue was discovered on Accfly Wireless Security IR Camera System 720P with software versions v3.10.73 through v4.15.77. There is an unauthenticated stack-based buffer overflow in the function CNetClientGuard::SubOprMsg during incoming message handling.