-----BEGIN PGP SIGNED MESSAGE----- Cisco Security Advisory: Access to the Cisco Aironet 340 Series Wireless Bridge via Web Interface Revision 1.0 For Public Release 2001 March 07 08:00 (GMT -0800) _________________________________________________________________ Summary It is possible to view and modify the bridge's configuration via Web interface even when Web access is disabled in the configuration. This defect is documented as Cisco bug ID CSCdt52783. This defect is present in the following hardware models: * Aironet AP4500, * Aironet AP4800, * Aironet BR100, * Aironet BR500, * Cisco Aironet AIR-BR340 The firmware release 8.55 is the first image which contains the fix. All previous firmware releases for listed devices are vulnerable. No other Aironet/Cisco Aironet wireless product is affect by this vulnerability. This advisory is available at the http://www.cisco.com/warp/public/707/Aironet340-pub.shtml. Affected Products The following hardware models are affected: * Aironet AP4500, * Aironet AP4800, * Aironet BR100, * Aironet BR500, * Cisco Aironet AIR-BR340 They are vulnerable to this defect if they are running any of the following firmware releases: * 7.X * 8.07 * 8.24 The release 8.55 is the first release where this vulnerability is fixed. No other Aironet/Cisco Aironet wireless products are affected by this defect. Details It is possible to view and modify the bridge's configuration, using Web interface, despite it being explicitly disabled. This vulnerability is exploitable over the wired and wireless link alike. Impact An attacker is able to modify the bridge's configuration. It is necessary for an attacker to obtain connectivity to the bridge. That can be done either using wired or wireless Ethernet interface. Software Versions and Fixes This defect is fixed in the release 8.55 of the software. Obtaining Fixed Software Cisco is offering free software upgrades to eliminate this vulnerability for all affected customers. Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained via the Software Center on Cisco's Worldwide Web site at http://www.cisco.com. Please do not contact either "[EMAIL PROTECTED]" or "[EMAIL PROTECTED]" for software upgrades. Workarounds There is no workaround if an attack is coming from wired Ethernet interface. To mitigate this vulnerability if an attack is coming over the wireless link the following actions may be taken: * Change SSID to non guessable value. * Turn on WEP encryption if possible. * On bridges (BR100, BR500 and AIR-BR340) turn off access point mode. That will disallow direct access to the bridge by any client. For the instruction on how to perform these operations on the Cisco Aironet 340 Series Wireless Bridge, please see: http://www.cisco.com/univercd/cc/td/doc/product/wireless/aironet/br idge/brdgqs.htm For more detailed description please consult "Using the Cisco Aironet 340 Series Wireless Bridges", which can be found at: http://www.cisco.com/univercd/cc/td/doc/product/wireless/aironet/br idge/ebridge.pdf Information on SSID and other basic settings is on page 4-3. Information on bridge mode vs AP mode is on page 4-17. Exploitation and Public Announcements The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. This vulnerability was discovered by a customer. Status of This Notice: FINAL This is a final notice. Although Cisco cannot guarantee the accuracy of all statements in this notice, all of the facts have been checked to the best of our ability. Cisco does not anticipate issuing updated versions of this notice unless there is some material change in the facts. Should there be a significant change in the facts, Cisco may update this notice. Distribution This notice will be posted on Cisco's Worldwide Web site at http://www.cisco.com/warp/public/707/Aironet340-pub.shtml. In addition to Worldwide Web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients: * [EMAIL PROTECTED] * [EMAIL PROTECTED] * [EMAIL PROTECTED] (includes CERT/CC) * [EMAIL PROTECTED] * comp.dcom.sys.cisco * [EMAIL PROTECTED] * Various internal Cisco mailing lists Future updates of this notice, if any, will be placed on Cisco's Worldwide Web server, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the URL given above for any updates. Revision History Revision 1.0 2001-March-07 08:00 GMT-0800 Initial public release Cisco Security Procedures Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's Worldwide Web site at http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This includes instructions for press inquiries regarding Cisco security notices. _________________________________________________________________ This notice is Copyright 2001 by Cisco Systems, Inc. This notice may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, and include all date and version information. _________________________________________________________________ All contents are Copyright © 1992--2001 Cisco Systems Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBOqZnU2iN3BRdFxkbAQGrWQgAi0yNI2MNmv7E1J/M/vdnRhLN2PBBw3uw j/E/R72PP53XiOS4QA6bUO9ReJSbDesnzcCKwwUO2sjDNWEaqglqL2CKn7p1lCcO fO3lvznv29hJNbPrxrBFBOFJS0si9zbOlFJ2mNef8LL7WgpamObbNWTBqZ6rwptZ thJGMLWnbv/8skKYBNMJTcixQ7/rOz30va9RMJt4HsnbmRG3bIICmvQbuQCVBb9I 8ZkKLWB2H7D0uO2qiYX8i27UE8xOVDF/G+B00M/fMmMpFbAT6dspemmt+1rDX+A0 Ljb8heEpnPlwhk3+TDcECGqUFjsMIFp5f5aQkIJ1O1xjaDNPtz95XA== =DNwd -----END PGP SIGNATURE-----
Cisco Security Advisory: Access to the Cisco Aironet 340 Series Wireless Bridge via Web Interface
Cisco Systems Product Security Incident Response Team Wed, 07 Mar 2001 13:38:24 -0800