December 03, 2003, 1:38 PM — Cisco Systems Inc. is warning customers using its Aironet wireless access points (APs) about a security vulnerability that could allow attackers to obtain keys used to secure communications on wireless networks.
The vulnerability affects Aironet 1100, 1200 and 1400 series access points and could allow WEP (Wired Equivalent Privacy) keys to be sent as plain text over corporate networks that use an SNMP (Simple Network Management Protocol) server and have a specific option enabled on the access point, Cisco said.
SNMP is a network management protocol that allows companies to monitor the operation of network devices using a central server and software agents that track and report on the functioning of SNMP-compliant devices.
To be vulnerable, organizations have to be using an affected Aironet model with the IOS software, have an SNMP server deployed, be using static WEP keys for encryption and have enabled an option on the AP called "snmp-server enable traps wlan-wep." That option is disabled by default on Aironet access points, Cisco said.
SNMP "traps" are alerts that devices create when notable events occur. The wlan-wep trap notifies the SNMP server when events related to the WEP keys occur, such as a change in the key value or a reboot of the access point. Because of the security flaw, Aironet access points will also transmit the values of any static WEP keys being used on the network as clear text to the SNMP server in the trap message, Cisco said.
An opportunistic attacker who could intercept the SNMP traffic would obtain any WEP key values stored on the vulnerable access point and be able to snoop on encrypted wireless communications on the network, the company said.
Cisco issued a patch for vulnerable versions of the IOS software, 12.2(13)JA1 and recommended that customers obtain and install the patch as soon as possible. (See: http://www.cisco.com/warp/public/707/cisco-sa-20031202-SNMP-trap.shtml.)
Customers unable to get the patch can disable the "snmp-server enable traps wlan-wep" option or switch to another encryption method such as EAP (Extensible Authentication Protocol), which Aironet APs support, but which is not affected by the vulnerability, Cisco said.
The disclosure of a security problem with WEP follows other high-visibility patches to the company's Aironet wireless products in recent months.
In July, Cisco patched two holes in the Aironet 1100 series APs that could allow an attacker to disable an Aironet access point in a denial of service attack, or coax user account information out of the device.