COMMAND

    802.11b

SYSTEMS AFFECTED

    Multiple Vendor 802.11b Access Point SNMP

PROBLEM

    Following  is  based  on  a  Internet  Security  Systems  Security
    Advisory.   ISS  X-Force  has  discovered  a  serious  flaw in the
    authentication  mechanism  of  the  Atmel  VNET-B  Simple  Network
    Management  Protocol  (SNMP)  implementation.   Atmel  devices are
    provided via Original  Equipment Manufacturer (OEM)  agreements to
    Netgear and  Linksys.   These devices  do not  implement any  SNMP
    security measures, which may allow  an attacker to gain access  to
    or control a wireless LAN (WLAN).

    The affected  Access Points  do not  protect their  SNMP variables
    from users on the network,  allowing these variables to be  viewed
    or  modified.   Properly  designed  devices  should  support  SNMP
    community  strings  to  block  unauthorized  users from viewing or
    modifying  SNMP  variables.   However,  these  devices  will honor
    requests  to  read  or  write  to  the Management Information Base
    (MIB) with any  community string.   Attackers may use  this design
    flaw  to  gather  information   about  the  network,  view   Wired
    Equivalent Privacy (WEP) keys,  deny service to wireless  clients,
    or gain access to the WLAN.

    Affected versions:

        - Atmel 802.11b VNET-B based Access Point with firmware versions up to and including 1.3
        - Linksys WAP11 with Atmel firmware versions up to and including 1.3
        - Netgear ME102 with Atmel firmware versions up to and including 1.3

    Atmel 802.11 VNET-B based  Access Point supports the  AT76C510 MIB
    that  contains  information  related  to  all management functions
    supported by the device.   The MIB includes sensitive  information
    like the ESSID, WEP key, MAC addresses for the Access Point itself
    and its clients.  A MIB  describes objects that can be managed  by
    SNMP and contains  the common names  of objects, the  value of the
    unique object ID  (OID), and a  description of each  object.  This
    information  can  be  used  by  an  attacker interested in gaining
    access to the  WLAN associated with  the Access Point.   The Atmel
    device is  vulnerable to  a Denial  of Service  (DoS), due  to the
    fact that  it will  accept any  community string  to write  to the
    MIB.  Attackers may launch  a DoS attack against the  Access Point
    by modifying one or more  of the critical values contained  in the
    MIB.

    The AT76C510 MIB  also contains variables  that control the  state
    of  the  device.   Unauthorized  "snmpset"  commands  using  these
    variables can  reset the  device or  restore its  configuration to
    default  settings.   If  an  attacker  was  interested in removing
    evidence of compromise,  he or she  could also disable  SNMP traps
    sent to SNMP management consoles from the device.

    This vulnerability was discovered and researched by Kevin Chou  of
    the ISS X-Force.

SOLUTION

    There is  no workaround  for this  issue.   ISS X-Force recommends
    installing  the  vendor  firmware  upgrade  as  soon as it becomes
    available.

    Atmel  has  made  firmware  version  1.4  available to Linksys and
    Netgear.  This update will soon be available from each vendor.

    Linksys WAP11 Access Point -  download the update when it  becomes
    available from:

        http://www.linksys.com/download/firmware.asp

    Netgear ME102 Access Point -  download the update when it  becomes
    available from:

        http://www.netgear.com/customer_services.asp