Internet Security Systems Security Advisory June 20, 2001 Multiple Vendor 802.11b Access Point SNMP authentication flaw Synopsis: ISS X-Force has discovered a serious flaw in the authentication mechanism of the Atmel VNET-B Simple Network Management Protocol (SNMP) implementation. Atmel devices are provided via Original Equipment Manufacturer (OEM) agreements to Netgear and Linksys. These devices do not implement any SNMP security measures, which may allow an attacker to gain access to or control a wireless LAN (WLAN). Impact: The affected Access Points do not protect their SNMP variables from users on the network, allowing these variables to be viewed or modified. Properly designed devices should support SNMP community strings to block unauthorized users from viewing or modifying SNMP variables. However, these devices will honor requests to read or write to the Management Information Base (MIB) with any community string. Attackers may use this design flaw to gather information about the network, view Wired Equivalent Privacy (WEP) keys, deny service to wireless clients, or gain access to the WLAN. Affected Versions: Atmel 802.11b VNET-B based Access Point with firmware versions up to and including 1.3 Linksys WAP11 with Atmel firmware versions up to and including 1.3 Netgear ME102 with Atmel firmware versions up to and including 1.3 Description: Atmel 802.11 VNET-B based Access Point supports the AT76C510 MIB that contains information related to all management functions supported by the device. The MIB includes sensitive information like the ESSID, WEP key, MAC addresses for the Access Point itself and its clients. A MIB describes objects that can be managed by SNMP and contains the common names of objects, the value of the unique object ID (OID), and a description of each object. This information can be used by an attacker interested in gaining access to the WLAN associated with the Access Point. The Atmel device is vulnerable to a Denial of Service (DoS), due to the fact that it will accept any community string to write to the MIB. Attackers may launch a DoS attack against the Access Point by modifying one or more of the critical values contained in the MIB. The AT76C510 MIB also contains variables that control the state of the device. Unauthorized "snmpset" commands using these variables can reset the device or restore its configuration to default settings. If an attacker was interested in removing evidence of compromise, he or she could also disable SNMP traps sent to SNMP management consoles from the device. Recommendations: There is no workaround for this issue. ISS X-Force recommends installing the vendor firmware upgrade as soon as it becomes available. Atmel has made firmware version 1.4 available to Linksys and Netgear. This update will soon be available from each vendor. Linksys WAP11 Access Point: Download the update when it becomes available from: http://www.linksys.com/download/firmware.asp Netgear ME102 Access Point: Download the update when it becomes available from: http://www.netgear.com/customer_services.asp ISS RealSecure and ISS Internet Scanner have been upgraded with the most comprehensive 802.11b wireless vulnerability and threat detection available. The upcoming Wireless X-Press Updates will provide extensive coverage for major security issues found in many popular Access Points. ISS X-Force recommends upgrading to the latest X-Press Updates when they become available. ISS Consulting and Managed Security Services (MSS) can provide a variety of wireless security offerings including security health checks, wireless security policy, wireless architecture design, and managed wireless network protection. ISS SecureU is offering educational courses on 802.11 wireless security. Please refer to the following URL for more information: http://www.iss.net/wireless Additional Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2001-0514 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Credits: This vulnerability was discovered and researched by Kevin Chou of the ISS X-Force. Internet Security Systems would like to thank Atmel for their response and handling of this vulnerability. ______ About Internet Security Systems (ISS) Internet Security Systems is the leading global provider of security management solutions for the Internet, protecting digital assets and ensuring safe and uninterrupted e-business. With its industry-leading intrusion detection and vulnerability assessment, remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to more than 8,000 customers worldwide including 21 of the 25 largest U.S. commercial banks and the top 10 U.S. telecommunications companies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at www.iss.net or call 888-901-7477. Copyright (c) 2001 Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforceat_private for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforceat_private of Internet Security Systems, Inc.
This archive was generated by hypermail 2b30 : Wed Jun 20 2001 - 16:11:02 PDT