-----BEGIN PGP SIGNED MESSAGE-----
Cisco Security Advisory: Access to the Cisco Aironet 340 Series Wireless Bridge
via Web Interface
Revision 1.0
For Public Release 2001 March 07 08:00 (GMT -0800)
_________________________________________________________________
Summary
It is possible to view and modify the bridge's configuration via Web
interface even when Web access is disabled in the configuration. This
defect is documented as Cisco bug ID CSCdt52783. This defect is
present in the following hardware models:
* Aironet AP4500,
* Aironet AP4800,
* Aironet BR100,
* Aironet BR500,
* Cisco Aironet AIR-BR340
The firmware release 8.55 is the first image which contains the fix.
All previous firmware releases for listed devices are vulnerable. No
other Aironet/Cisco Aironet wireless product is affect by this
vulnerability. This advisory is available at the
http://www.cisco.com/warp/public/707/Aironet340-pub.shtml.
Affected Products
The following hardware models are affected:
* Aironet AP4500,
* Aironet AP4800,
* Aironet BR100,
* Aironet BR500,
* Cisco Aironet AIR-BR340
They are vulnerable to this defect if they are running any of the
following firmware releases:
* 7.X
* 8.07
* 8.24
The release 8.55 is the first release where this vulnerability is
fixed. No other Aironet/Cisco Aironet wireless products are affected
by this defect.
Details
It is possible to view and modify the bridge's configuration, using
Web interface, despite it being explicitly disabled. This
vulnerability is exploitable over the wired and wireless link alike.
Impact
An attacker is able to modify the bridge's configuration. It is
necessary for an attacker to obtain connectivity to the bridge. That
can be done either using wired or wireless Ethernet interface.
Software Versions and Fixes
This defect is fixed in the release 8.55 of the software.
Obtaining Fixed Software
Cisco is offering free software upgrades to eliminate this
vulnerability for all affected customers.
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained via the Software Center on Cisco's Worldwide Web
site at http://www.cisco.com. Please do not contact either
"psirt@cisco.com" or "security-alert@cisco.com" for software upgrades.
Workarounds
There is no workaround if an attack is coming from wired Ethernet
interface.
To mitigate this vulnerability if an attack is coming over the
wireless link the following actions may be taken:
* Change SSID to non guessable value.
* Turn on WEP encryption if possible.
* On bridges (BR100, BR500 and AIR-BR340) turn off access point
mode. That will disallow direct access to the bridge by any
client.
For the instruction on how to perform these operations on the Cisco
Aironet 340 Series Wireless Bridge, please see:
http://www.cisco.com/univercd/cc/td/doc/product/wireless/aironet/br
idge/brdgqs.htm
For more detailed description please consult "Using the Cisco Aironet
340 Series Wireless Bridges", which can be found at:
http://www.cisco.com/univercd/cc/td/doc/product/wireless/aironet/br
idge/ebridge.pdf Information on SSID and other basic settings is on
page 4-3. Information on bridge mode vs AP mode is on page 4-17.
Exploitation and Public Announcements
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory. This
vulnerability was discovered by a customer.
Status of This Notice: FINAL
This is a final notice. Although Cisco cannot guarantee the accuracy
of all statements in this notice, all of the facts have been checked
to the best of our ability. Cisco does not anticipate issuing updated
versions of this notice unless there is some material change in the
facts. Should there be a significant change in the facts, Cisco may
update this notice.
Distribution
This notice will be posted on Cisco's Worldwide Web site at
http://www.cisco.com/warp/public/707/Aironet340-pub.shtml. In
addition to Worldwide Web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients:
* cust-security-announce@cisco.com
* bugtraq@securityfocus.com
* first-teams@first.org (includes CERT/CC)
* cisco@spot.colorado.edu
* comp.dcom.sys.cisco
* firewalls@lists.gnac.com
* Various internal Cisco mailing lists
Future updates of this notice, if any, will be placed on Cisco's
Worldwide Web server, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the URL given above for any updates.
Revision History
Revision 1.0 2001-March-07 08:00 GMT-0800 Initial public release
Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's Worldwide Web site at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml.
This includes instructions for press inquiries regarding Cisco
security notices.
_________________________________________________________________
This notice is Copyright 2001 by Cisco Systems, Inc. This notice may
be redistributed freely after the release date given at the top of the
text, provided that redistributed copies are complete and unmodified,
and include all date and version information.
_________________________________________________________________
All contents are Copyright © 1992--2001 Cisco Systems Inc. All rights
reserved.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQEVAwUBOqZnU2iN3BRdFxkbAQGrWQgAi0yNI2MNmv7E1J/M/vdnRhLN2PBBw3uw
j/E/R72PP53XiOS4QA6bUO9ReJSbDesnzcCKwwUO2sjDNWEaqglqL2CKn7p1lCcO
fO3lvznv29hJNbPrxrBFBOFJS0si9zbOlFJ2mNef8LL7WgpamObbNWTBqZ6rwptZ
thJGMLWnbv/8skKYBNMJTcixQ7/rOz30va9RMJt4HsnbmRG3bIICmvQbuQCVBb9I
8ZkKLWB2H7D0uO2qiYX8i27UE8xOVDF/G+B00M/fMmMpFbAT6dspemmt+1rDX+A0
Ljb8heEpnPlwhk3+TDcECGqUFjsMIFp5f5aQkIJ1O1xjaDNPtz95XA==
=DNwd
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:31 EDT