Unpatched Cisco/Airespace WLANs at Risk
November 03, 2005
The company backing the LWAPP thin AP control protocol says some of its access points can be accessed by unauthenticated hosts.
issued a security advisory yesterday stating that enterprise customers using specific access points and WLAN controllers may be vulnerable to attack even if they're using encryption and authentication.
The problem stems from APs using the Lightweight Access Point Protocol (LWAPP), which is used to manage "thin APs" those with most of their functions hosted on a central controller. With particular APs in LWAPP mode, they run a stripped-down version of the Cisco IOS software, so they can't be configured individually. However, they are also able to "accept unencrypted traffic from end hosts even when configured to encrypt traffic," according to the security advisory. This traffic would come from the Media Access Control (MAC) address of an end host that is already authenticated. Attackers can use it to send malicious traffic.
Customers using Cisco 1200, 1131, and 1240 series APs run by Cisco 2000 and 4400 series Airespace WLAN Controllers with software version 220.127.116.11 are vulnerable. The issue only impacts deployments with a separate controller, and no other access points are effected.
Cisco purchased Airespace early in 2005, putting the company on an even footing with startups in the WLAN switch space, even though Cisco has never fallen out of the top spot in enterprise WLAN sales thanks to its standard "fat" access point deployments.
Cisco has also released another security advisory this week about its intrusion prevention system (IPS).
LWAPP's Checkered Past
The LWAPP protocol was originally backed by several of the WLAN switch companies though not by Cisco. The vendor started out all for LWAPP, but it then turned against the protocol, and even had its own proprietary version for a while. That all changed when Cisco bought out Airespace.
The written Internet Engineering Task Force (IETF) Internet Draft for LWAPP expired in March 2004, so a new working group called Control and Provisioning of Wireless Access Points (CAPWAP) was formed.
In August of this year, several members of the CAPWAP group evaluated protocols, and recommended that LWAPP be used as the underlying basis for CAPWAP over other in-progress protocols like SLAPP (Secure Light Access Point Protocol), WICOP (Wireless LAN Control Protocol) and CTP (CAPWAP Tunneling Protocol).
Cisco personnel submitted a draft to the IETF's CAPWAP working group in May 2005 called "LWAPP Self Evaluation," which specifically recommended LWAPP as the best choice, stating, "We believe that the quality of the [LWAPP] protocol and the document would help expedite the publication of the CAPWAP protocol."