AirMagnet's intrusion research team has reported a security vulnerability associated with two Cisco wireless LAN access-point devices. The potential exploit, which in context is relatively minor, could nevertheless enable rogue users to gain access to a user's wireless LAN, inject malicious packets and potentially create a Denial-of-Service condition.
In terms of impact, the vulnerability affects Cisco's Lightweight Wireless Access Point 1100 and 1200 Series devices. AirMagnet has dubbed the exploit "Skyjack," and explains that it involves the Over-the-Air-Provisioning (OTAP) feature in these wireless access points. An access point can be hijacked by a malicious user who assigns it to a rogue controller that's not part of the user's network.
Here's how AirMagnet frames the specifics of such an attack:
"In normal operation, Cisco APs generate an unencrypted multicast data frame that travels over the air and includes a variety of information in the clear. From these frames a hacker listening to the airwaves could determine the MAC address of the wireless controller that the AP is connected to, the IP address for that controller, and a variety of AP configuration options. . . this allows anyone listening to the network to easily find the internal addresses of the wireless LAN controllers in the network, and potentially target them for attack."
For its part, Cisco has confirmed the vulnerability and has issued an alert, which notes that "only wireless access points that are deployed without a setup configuration are vulnerable."
As protection, Cisco advises admins to preconfigure their access points with preferred controller lists. It also advises monitoring the access points, using Cisco's Infrastructure Rogue Discovery feature, to catch bad actors who glom onto your network.
AirMagnet goes a bit further, recommending that "Cisco customers should be advised not to run the OTAP feature, as it could actively put new sensors in danger of being SkyJacked."
Follow me on Twitter.