Second Cisco WLAN Security Threat Exposed

Cisco faced its second serious WLAN security threat this week when a network and security analyst released a tool that attacks the company's proprietary Lightweight Extensible Authentication Protocol (LEAP) wireless authentication system.

Joshua Wright, a senior network and security architect for Johnson & Wales University, reported in an Insecure.org discussion list that he reported the problem, which makes LEAP vulnerable to offline dictionary attacks, to Cisco. He said the company only issued a "subtle" warning to users.

"In an effort to give Cisco and their customers time to react to this flaw, I told Cisco I would not release my attack code for six months, starting in August 2003," Wright said in his posting. "I plan to keep this promise, although it may be moot since other exploit code has been posted to public forums that exploits the same challenge/response flaw."

After Cisco's inadequate response, Wright said he will release the tool, which is dubbed Asleap. He questioned Cisco for its slow response to what he called a widely-known problem.

"My concern when learning about the architecture of the LEAP protocol was that Cisco was continuing to push LEAP to customers as a way to gain market share over stronger wireless authentication protocols such as PEAP and TTLS," Wright said in his posting.Wright noted that LEAP is a "modified version of MS-CHAPv2 (which) is known to be weak, as documented in many sources."

Wright strongly advised LEAP users to take alternative measures.

"Customers using LEAP should be aware that the usernames and password of their user account are exposed, and should plan for the deployment of alternate authentication mechanisms such as PEAP or TTLS," Wright said in his posting. "Disabling user accounts after successive failed login attempts will not help protect against unauthorized access, since this is an offline attack that can be run at the attacker's leisure. At a bare minimum, LEAP users should immediately audit and expire user passwords that are based on dictionary words, or common derivations."

While this latest disclosure is unlikely to hurt Cisco much, it may hurt the continuing growth of wireless LANs, one industry analyst said.

"If Cisco responds appropriately and offer a fix, it shouldn't hurt them much," said Phil Solis, senior analyst for research firm ABI. "But it could hurt the progress being made in terms of people's perceptions of how secure Wi-Fi is."He noted that the perception of insecurity has hurt adoption of WLANs in the enterprise, but that perception has been changing as security has improved.

This is the second threat to WLANs based on Cisco equipment this week. Wednesday, the company issued a security advisory about a security whole in its Wireless LAN Solution Engine, which centrally manages enterprise WLANs, and Hosting Solution Engine, which manages e-business services.