Internet Security Systems Security Advisory
June 20, 2001
Multiple Vendor 802.11b Access Point SNMP authentication flaw
Synopsis:
ISS X-Force has discovered a serious flaw in the authentication
mechanism of the Atmel VNET-B Simple Network Management Protocol (SNMP)
implementation. Atmel devices are provided via Original Equipment
Manufacturer (OEM) agreements to Netgear and Linksys. These devices do
not implement any SNMP security measures, which may allow an attacker
to gain access to or control a wireless LAN (WLAN).
Impact:
The affected Access Points do not protect their SNMP variables from
users on the network, allowing these variables to be viewed or modified.
Properly designed devices should support SNMP community strings to block
unauthorized users from viewing or modifying SNMP variables. However,
these devices will honor requests to read or write to the Management
Information Base (MIB) with any community string. Attackers may use this
design flaw to gather information about the network, view Wired
Equivalent Privacy (WEP) keys, deny service to wireless clients, or gain
access to the WLAN.
Affected Versions:
Atmel 802.11b VNET-B based Access Point
with firmware versions up to and including 1.3
Linksys WAP11
with Atmel firmware versions up to and including 1.3
Netgear ME102
with Atmel firmware versions up to and including 1.3
Description:
Atmel 802.11 VNET-B based Access Point supports the AT76C510 MIB that
contains information related to all management functions supported by
the device. The MIB includes sensitive information like the ESSID, WEP
key, MAC addresses for the Access Point itself and its clients. A MIB
describes objects that can be managed by SNMP and contains the common
names of objects, the value of the unique object ID (OID), and a
description of each object. This information can be used by an attacker
interested in gaining access to the WLAN associated with the Access
Point. The Atmel device is vulnerable to a Denial of Service (DoS), due
to the fact that it will accept any community string to write to the
MIB. Attackers may launch a DoS attack against the Access Point by
modifying one or more of the critical values contained in the MIB.
The AT76C510 MIB also contains variables that control the state of the
device. Unauthorized "snmpset" commands using these variables can reset
the device or restore its configuration to default settings. If an
attacker was interested in removing evidence of compromise, he or she
could also disable SNMP traps sent to SNMP management consoles from the
device.
Recommendations:
There is no workaround for this issue. ISS X-Force recommends installing
the vendor firmware upgrade as soon as it becomes available.
Atmel has made firmware version 1.4 available to Linksys and Netgear.
This update will soon be available from each vendor.
Linksys WAP11 Access Point:
Download the update when it becomes available from:
http://www.linksys.com/download/firmware.asp
Netgear ME102 Access Point:
Download the update when it becomes available from:
http://www.netgear.com/customer_services.asp
ISS RealSecure and ISS Internet Scanner have been upgraded with the most
comprehensive 802.11b wireless vulnerability and threat detection
available. The upcoming Wireless X-Press Updates will provide extensive
coverage for major security issues found in many popular Access Points.
ISS X-Force recommends upgrading to the latest X-Press Updates when they
become available.
ISS Consulting and Managed Security Services (MSS) can provide a variety
of wireless security offerings including security health checks,
wireless security policy, wireless architecture design, and managed
wireless network protection.
ISS SecureU is offering educational courses on 802.11 wireless security.
Please refer to the following URL for more information:
http://www.iss.net/wireless
Additional Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2001-0514 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.
Credits:
This vulnerability was discovered and researched by Kevin Chou of the
ISS X-Force. Internet Security Systems would like to thank Atmel for
their response and handling of this vulnerability.
______
About Internet Security Systems (ISS)
Internet Security Systems is the leading global provider of security
management solutions for the Internet, protecting digital assets and
ensuring safe and uninterrupted e-business. With its industry-leading
intrusion detection and vulnerability assessment, remote managed
security services, and strategic consulting and education offerings, ISS
is a trusted security provider to more than 8,000 customers worldwide
including 21 of the 25 largest U.S. commercial banks and the top 10 U.S.
telecommunications companies. Founded in 1994, ISS is headquartered in
Atlanta, GA, with additional offices throughout North America and
international operations in Asia, Australia, Europe, Latin America and
the Middle East. For more information, visit the Internet Security
Systems web site at www.iss.net or call 888-901-7477.
Copyright (c) 2001 Internet Security Systems, Inc.
Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part of
this Alert in any other medium excluding electronic medium, please
e-mail xforceat_private for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.
X-Force PGP Key available at: http://xforce.iss.net/sensitive.php
as well as on MIT's PGP key server and PGP.com's key server.
Please send suggestions, updates, and comments to: X-Force
xforceat_private of Internet Security Systems, Inc.
This archive was generated by hypermail 2b30 : Wed Jun 20 2001 - 16:11:02 PDT