COMMAND
802.11b Access Points
SYSTEMS AFFECTED
802.11b Access Points
PROBLEM
Following is based on a Internet Security Systems Security
Advisory. Internet Security Systems (ISS) X-Force has discovered
a vulnerability in several 802.11b Access Point devices. This
problem may reveal the Wired Equivalent Privacy (WEP) key that is
associated with the wired network. The WEP key is part of an
encryption technique that provides secure data transmissions
between wireless Access Points and PCs. The WEP encryption key
can be obtained via a Simple Network Management Protocol (SNMP)
query sent to the Access Point from a computer on the wired
network. It is possible for an attacker to gain access to the WEP
encryption key from the wired side, and then decrypt traffic on
the wireless network. This attack is only possible if the Access
Point is attacked from a wired network.
X-Force confirmed the following products are vulnerable:
- 3Com AirConnect Model Number AP-4111
- Symbol 41X1 Access Point Series
Symbol Technologies Inc. provides 802.11b Access Point technology
to several vendors under Original Equipment Manufacturer (OEM)
agreements. These devices are branded and sold as distinct
products. ISS X-Force has not tested all potentially vulnerable
products. ISS X-Force recommends referring to the following URL
for information about additional potentially vulnerable devices:
http://www.symbol.com/products/wireless/wireless_alliances_and_partner.html
The WEP encryption key is used to provide wireless clients with
confidentiality and authentication in an IEEE 802.11b (a standard
for wireless transmissions) environment. The IEEE 802.11b
standard Management Information Base (MIB) includes the definition
for dot11WEPDefaultKeyValue in the dot11WEPDefaultKeysTable, and
explicitly states that, "The WEP default secret keys are logically
WRITE-ONLY. Attempts to read the entries in this table shall
return unsuccessful status and values of null or zero."
All affected Access Points support the IEEE 802.11b MIB and the
vendor-specific MIB. The Symbol SNMP agent reveals the WEP
encryption key in response to a valid wired-side SNMP query for
the following:
1. IEEE 802.11b MIB: dot11WEPDefaultKeyValue in the
dot11WEPDefaultKeysTable
2. Symbol MIB: ap128bWepKeyValue in the ap128bWEPKeyTable
The current implementation of the Symbol SNMP agent presents a
standard compliance issue. More importantly, the privacy of
wireless clients may not be protected, and as a result, the
authentication mechanism may not be reliable.
This vulnerability was discovered and researched by Kevin Chou of
the ISS X-Force.
SOLUTION
Symbol Technologies has made a firmware update available to
address the problems documented in this advisory. Contact your
vendor for information about this update and its availability.
3Com Corporation will make the firmware update available on their
Web site: http://www.3Com.com
This vulnerability is closely related to how manufacturers comply
with IEEE 802.11b standards. It is possible that additional
Access Points from other vendors may be vulnerable to the problems
described in this advisory. ISS X-Force recommends that all Access
Point users check for the existence of this vulnerability.