Cisco Security Advisory
HTTP GET Vulnerability in AP1x00
-
A vulnerability has been reported by an external researcher in Cisco IOS® release for Cisco Aironet AP1x00 Series Wireless devices. The vulnerability affects only IOS-based Cisco Aironet Wireless products. The VxWorks based Cisco Aironet Wireless Devices are not affected. This vulnerability can cause the AP1x00 to reload and is documented as Cisco bug ID CSCeb49869 ( registered customers only) (also CAN-2003-0511). There are workarounds available to mitigate the effects of this vulnerability.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20030728-ap1x00.
The external report can be found at http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003001.htm
.
A second external report found at
http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003002.htm
details another issue, Cisco bug ID
CSCdz29724
(
registered customers only)
, which is present in all IOS software and
is duplicated by the AP1x00 specific Cisco bug ID
CSCeb49842
(
registered customers only)
(also CAN-2003-512). More details on it can be found at
http://www.cisco.com/warp/public/707/cisco-sn-20030724-ios-enum.shtml.
-
This section provides details on affected products.
Vulnerable Products
Only the following Cisco IOS-based wireless Access Points are affected:
Hardware Model
Software Release(s)
Cisco Aironet Wireless Access Point AP1100 series
12.2(4)JA, 12.2(4)JA1, 12.2(8)JA, 12.2(11)JA
Cisco Aironet Wireless Access Point AP1200 series
12.2(8)JA, 12.2(11)JA
Cisco Aironet Wireless Bridge AP1400 series
12.2(11)JA
All previous VxWorks-based software releases for Cisco Aironet Access Point 1200 are not affected. That includes the following, and earlier, software releases: 11.56, 12.01T1, 12.02T1, 12.03T.
In order to determine your software release you should log on the Access Point using any account available and execute the following command:
access-point> show ver Cisco Internetwork Operating System Software IOS (tm) C1100 Software (C1100-K9W7-M), Version 12.2(8)JA, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) ^^^^^^^^^ TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2003 by cisco Systems, Inc.
The Cisco IOS software version is displayed in the second line of the output. In this example it is 12.2(8)JA.
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
-
Sending a malformed URL to the Cisco Aironet AP1x00 can cause the device to reload.
-
There are two workarounds for this vulnerability. One is to use access-class or access-list commands to limit the access to legitimate hosts only, and another workaround is to disable HTTP and use SSH to administer the Cisco Aironet Access Point.
The example of using access-class is given here:
ap(config)# ip http access-class 10 ap(config)# access-list 10 permit host 10.0.0.1
In this example, host 10.0.0.1 is the only one that is allowed to access the AP. All other hosts are prohibited.
To disable HTTP and enable SSH use this example:
ap(config)# no ip http server ap(config)# ip domain name
ap(config)# crypto key generate rsa The name for the keys will be: ap.your-domain Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys ...[OK] ap(config)# line vty 0 4 ap(config-line)# transport input ssh Now you can connect to the Cisco Aironet AP using SSH client from your computer. There are many free and commercial versions of SSH software available.
In addition to the workarounds it is possible to mitigate the exposure by configuring ACLs on the device so that only legitimate hosts can use the http service. This can be done in the following way:
access-list 111 permit tcp host 10.0.0.1 host 10.0.0.50 eq www
In this example the host 10.0.0.1 is the only one that is allowed to access the device at 10.0.0.50. You will have to change host IP addresses and the ACL number to suit your configuration. This ACL will have to be applied to all interfaces and block all IP addresses assigned to the affected device.
-
The vulnerability is fixed in the 12.2(11)JA1 version of the software for all Cisco Aironet AP1x00 devices.
-
This vulnerability is reported by Reda Zitouni from Vigilante. Their report can be found at http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003001.htm
.The Cisco PSIRT is not aware of malicious use of the vulnerability described in this advisory.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.0
2003-July-28 16:00 UTC (GMT)
Initial public release.
Revision 1.1
2003-July-28 18:30 UTC (GMT)
Corrected external report URLs.
Show Less
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.