Cisco OTAP vulnerability
Last Post: September 12, 2009:
-
Have to try this myself!
http://www.net-security.org/secworld.php?id=7924 -
Let us know what you find. I have OTAP turned off, but I'm trying to figure out what kind of packets they are talking about in the section titled "The Exposure". I don't think they are talking about beacon frames (and they are flat wrong if the *are* talking about beacon frames).
I've got support cases opened up with AirMagnet and Cisco to find out more. -
In PA today, NYC for the rest of the week, and will have to wait for the weekend to check out what is in an OTAP packet, thankfully I have a 4400 and 2100 controller at the house. My concern in this situation is that a lot of network info could be broadcast in this OTAP packet, ip???¡é?¡é?????¡é???¡és ect. Have never used or enabled OTAP in production WLAN???¡é?¡é?????¡é???¡és however I have tried it and know it works, scary isn???¡é?¡é?????¡é???¡ét it!
-
To me, the scary part is that the document says that the packets from which one can determine the controller's MAC and UP address are broadcast regardless of whether OTAP is enabled or not. I've done some captures (with my AirMagnet software ), but don't see anything (yet).
-
http://www.youtube.com/watch?v=dZHiY_1p_d0
Jerome from FL has a great youtube on otap -
Awesome link - thank you! That explains everything. OTAP uses the RRM packet, but the packet will only contain the controller IP address if OTAP is turned on. I'll verify that against my controller and post back here if this is incorrect (ie - no news is good news).
-
Wowsers - even with RRM and OTAP disabled, the packets do, indeed, carry the MAC and IP address of the controller to which the AP is joined.
Ouch. -
Im sorry ... Jerome Henry was robbed. 4 weeks ago Jerome did a great video on OTAP and talks about the security concerns. Then AirMagnet takes credit for it last week...
I lost all respect for AirMagnet ... -
Perhaps a name change is in order. FlukeMagnet?
-
a follow up to TAP: Note cisco plans to patch 6.x and remove otap and encrypt the rrm packet
http://tools.cisco.com/security/center/viewAlert.x?alertId=18919
Cisco Lightweight Access Points contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.
The vulnerability is due to insufficient security protections during wireless access point association sequences. An unauthenticated, remote attacker could exploit this vulnerability by injecting malicious packets into the wireless network where newly added access points are seeking controllers. This action could allow the attacker to cause the device to associate to a rogue controller, preventing the device from servicing network clients. An exploit could result in a DoS condition.
Cisco has confirmed this vulnerability; however, software updates are not yet available.
Note: Cisco aims to follow-up with a timely patch for 6.0.x, which removes the Over-the-Air Provisioning (OTAP) discovery method and encrypts the information in the Radio Resource Management (RRM) Neighbor Discovery Packet.
- 1