Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Newly Discovered Vulnerability Could Threaten Cisco Wireless LANs

Flaw in Cisco Over-The-Air-Provisioning could allow attackers to gain control of wireless access points, AirMagnet researchers say

A flaw in the provisioning system used by Cisco wireless LANs could allow attackers to collect data about users' wired networks or even gain access to WLAN-attached systems, researchers said today.

Researchers at AirMagnet's Intrusion Research Team say they have uncovered a security vulnerability in Cisco's Over-The-Air-Provisioning (OTAP), a feature that helps users deploy wireless access points (APs). The potential exploit -- which AirMagnet has dubbed SkyJack -- makes it possible for others to gain control of a Cisco AP, intentionally or unintentionally.

The Cisco OTAP feature allows a Cisco AP to "listen" to traffic from nearby Cisco APs and use that information to quickly locate a nearby WLAN controller on the network. However, this feature may cause unintentional exposure or leakage of network information in all lightweight Cisco APs, AirMagnet says.

If the OTAP feature is not turned off, it is possible for APs to be incorrectly assigned to an outside Cisco controller -- a.k.a. SkyJacked -- either by accident or at the direction of a potential hacker, AirMagnet says.

"We haven't seen any definite exploits yet, but the feature has been available for some time," says Wade Williamson, director of product management at AirMagnet. "We can envision a situation where an attacker could set up a rogue AP in an empty office near a bank, and collect data for a long period of time."

Under OTAP, Cisco APs generate an unencrypted multicast data frame that travels over the air and includes a variety of information in the clear, AirMagnet says. From these frames, a hacker listening to the airwaves could determine the MAC address of the wireless controller that the AP is connected to, the IP address for that controller, and a variety of AP configuration options. The hacker could even collect information on wired devices attached to the WLAN, Williamson says.

The Cisco OTAP frames are always unencrypted, regardless of the encryption scheme used in the network (e.g., WPA), and are always sent, regardless of whether the OTAP feature is turned on, AirMagnet says.

"At the very least, this allows anyone listening to the network to easily find the internal addresses of the wireless LAN controllers in the network and potentially target them for attack," AirMagnet says. All lightweight Cisco deployments are subject to this exposure.

If the OTAP feature is turned on, a newly deployed Cisco AP will listen to the multicast data frame to determine the address of its nearest controller, AirMagnet explains. This means that a Cisco AP may "hear" multicast traffic from a neighboring network and incorrectly connect to a neighbor or an unapproved Cisco controller.

This same mechanism could be exploited intentionally by a hacker to SkyJack APs and take control of an enterprise's access point, AirMagnet says. "You could gain access to the network over a semi-permanent connection and collect data over a long period of time," Williamson says.

AirMagnet has informed Cisco about this vulnerability and potential exploit, and Cisco is working on a fix, Williamson says. In the meantime, AirMagnet recommends that Cisco customers turn off the OTAP feature because it could actively put new sensors in danger of being SkyJacked.

The vulnerability also points up the advantages of having a wireless network monitoring system, such as AirMagnet's, Williamson says. "With wireless, you need to be able to detect activity on the edges of the network in ways that you didn't have to do with wired networks," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-05
The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
PUBLISHED: 2021-05-05
The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
PUBLISHED: 2021-05-05
The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
PUBLISHED: 2021-05-05
The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
PUBLISHED: 2021-05-05
The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...