COMMAND

    Lucent/Orinoco 802.11 proprietary access control-closed network

SYSTEMS AFFECTED

    Lucent/Orinoco (Most access points based on Orinoco wireless cards)

PROBLEM

    Bill  Arbaugh  found  following.   An  attacker  can determine the
    network  name,  or  SSID,  which  controls  access to the network.
    Knowledge  of  the  SSID  permits  a  client to associate/join the
    network.  If WEP is  not enabled, the attacker gains  unrestricted
    access to the network immediately.

    Lucent  has  defined  a   proprietary  access  control   mechanism
    entitled Closed Network.   With this mechanism, a  network manager
    can use either an open or  a closed network.  In an  open network,
    anyone is  permitted to  join the  network.   In a closed network,
    only those clients  with knowledge of  the network name,  or SSID,
    can join.  In essence, the  network name acts as a shared  secret.
    Claims are made that a Closed Network prevents unauthorized  users
    from accessing the network.

    In  practice,  security  mechanisms  based  on a shared secret are
    robust provided  the secrets  are well-protected  in use  and when
    distributed.  Unfortunately,  this is not  the case with  Lucent's
    proprietary access control  mechanism.  Several  802.11 management
    messages contain  the network  name, or  SSID, and  these messages
    are broadcast  in the  clear by  access points  and clients.   The
    actual message containing the SSID depends on the vendor and model
    of the access point.  The end result, however, is that an attacker
    can easily sniff the network name - determining the shared  secret
    and gaining immediate access  to the ``protected'' network  if WEP
    is not  enabled.   Even with  WEP enabled,  however, the  attacker
    could utilize  previously disclosed  WEP flaws  to gain  access by
    forging packets:

        http://grouper.ieee.org/groups/802/11/Documents/DocumentHolder/0-362.zip
        http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html

    A description  of this  flaw and  others contained  in 802.11  are
    described in:

        http://www.cs.umd.edu/~waa/wireless.pdf

SOLUTION

    Vendor informed  of the  problem on  April 1,  2001 via electronic
    mail.  Vendor responded that  this is just "one little  hurdle .."
    to gaining access.