Vulnerability in Cisco's WLAN technology gives attackers access to corporate networks - Update
AirMagnet, a WLAN security provider, has pointed out a security problem in Cisco's Access Points (AP) that is related to the Over-The-Air-Provisioning (OTAP) feature in Cisco's Unified Wireless Network Architecture. In this architecture, a Lightweight Access Point (LAP) obtains its configuration from a central Wireless LAN Controller (WLC). Attackers can reportedly manipulate this set-up to gain control of an LAP and as a result, access a corporate network.
The OTAP feature allows newly added LAPs to find their controller. Apart from handling configuration, the controller also monitors the wireless networks and collects information submitted by the LAPs via the Lightweight Access Point Protocol (LWAPP). For instance, individual Access Points forward Radio Resource Management (RRM) Neighbor Packets they receive from neighbouring Access Points to the controller. Among other things, RRM packets contain information about antennas, used channels, performance, WLAN access codes and the controller's IP address, in unencrypted form.
If a newly added LAP receives a specially crafted RRM packet with a malformed IP address during the initial boot process, it will register with the wrong controller. According to AirMagnet, an attacker can use such a SkyJack attack to gain control of the Access Point. No further details, for example whether a successful attack requires the attacker to bypass authentication, were given in AirMagnet's advisory. Registration includes an authentication process and key negotiations to protect communication.
Cisco has been informed of the problem and is reportedly working to provide a solution. However, the vendor is probably not entirely unfamiliar with this issue. After all, Cisco's own best practice guidelines recommend disabling OTAP on all the LAPs after start up – and no conscientious admin is likely to start up devices without supervision. In addition, OTAP is disabled by default.
Update - Cisco has posted a security alert confirming the problem, advising administrators to preconfigure access points with preferred controller lists. Administrators are also advised to consider employing Logically Signed Certificates (LSCs) to ensure that access points only associate with authorised controllers.