SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Router/Bridge/Hub)  >   Wireless Access Point (NETGEAR) Vendors:   NETGEAR
Netgear Wireless Access Point Fails to Restrict SNMP Access, Allowing Remote Users to Control the Device
SecurityTracker Alert ID:  1001797
SecurityTracker URL:  http://securitytracker.com/id/1001797
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 21 2001
Impact:   Denial of service via network, Disclosure of system information, Modification of system information, Root access via network
Vendor Confirmed:  Yes  
Version(s): ME102, with Atmel firmware versions up to and including 1.3
Description:   Internet Security Systems reported a vulnerability in the NETGEAR ME102 Wireless Access Point. The device reportedly does not restrict access to the SNMP management interface, allowing remote users to configure the device, view information about the configuration, and deny service to others using the device.

The vulnerability reportedly resides in the authentication mechanism of the Atmel VNET-B Simple Network Management Protocol (SNMP) implementation (the Atmel device is provided via an Original Equipment Manufacturer (OEM) agreement with NETGEAR).

The Atmel 802.11 VNET-B based Access Point supports the AT76C510 MIB that includes sensitive information like the ESSID, WEP key, and MAC addresses for the Access Point its clients. Access to this MIB is not restricted. The device reportedly does not require a community string to gain access to or control a wireless LAN.

Impact:   A remote user can view and modify the SNMP variables and can gain access to the wireless LAN.
Solution:   Upgrade to firmware version 1.4 when it becomes available. See the Vendor URL for upgrade information.
Vendor URL:  www.netgear.com/product_view.asp?xrp=11&yrp=29&zrp=92 (Links to External Site)
Cause:   Access control error

Message History:   None.


 Source Message Contents

Subject:  ISSalert: ISS Advisory: Multiple Vendor 802.11b Access Point SNMP authentication flaw



TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to
majordomo@iss.net  Contact alert-owner@iss.net for help with any problems!
---------------------------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----

Internet Security Systems Security Advisory
June 20, 2001

Multiple Vendor 802.11b Access Point SNMP authentication flaw

Synopsis:

ISS X-Force has discovered a serious flaw in the authentication
mechanism of the Atmel VNET-B Simple Network Management Protocol (SNMP)
implementation. Atmel devices are provided via Original Equipment
Manufacturer (OEM) agreements to Netgear and Linksys. These devices do
not implement any SNMP security measures, which may allow an attacker
to gain access to or control a wireless LAN (WLAN).

Impact:

The affected Access Points do not protect their SNMP variables from
users on the network, allowing these variables to be viewed or modified.
Properly designed devices should support SNMP community strings to block
unauthorized users from viewing or modifying SNMP variables. However,
these devices will honor requests to read or write to the Management
Information Base (MIB) with any community string. Attackers may use this
design flaw to gather information about the network, view Wired
Equivalent Privacy (WEP) keys, deny service to wireless clients, or gain
access to the WLAN. 

Affected Versions:

Atmel 802.11b VNET-B based Access Point
     with firmware versions up to and including 1.3 
Linksys WAP11 
     with Atmel firmware versions up to and including 1.3
Netgear ME102
     with Atmel firmware versions up to and including 1.3

Description:

Atmel 802.11 VNET-B based Access Point supports the AT76C510 MIB that
contains information related to all management functions supported by
the device. The MIB includes sensitive information like the ESSID, WEP
key, MAC addresses for the Access Point itself and its clients. A MIB
describes objects that can be managed by SNMP and contains the common
names of objects, the value of the unique object ID (OID), and a
description of each object. This information can be used by an attacker
interested in gaining access to the WLAN associated with the Access
Point. The Atmel device is vulnerable to a Denial of Service (DoS), due
to the fact that it will accept any community string to write to the
MIB. Attackers may launch a DoS attack against the Access Point by 
modifying one or more of the critical values contained in the MIB. 

The AT76C510 MIB also contains variables that control the state of the
the device or restore its configuration to default settings. If an
attacker was interested in removing evidence of compromise, he or she
could also disable SNMP traps sent to SNMP management consoles from the
device.

Recommendations:

There is no workaround for this issue. ISS X-Force recommends installing
the vendor firmware upgrade as soon as it becomes available.

Atmel has made firmware version 1.4 available to Linksys and Netgear.
This update will soon be available from each vendor.

Linksys WAP11 Access Point:
Download the update when it becomes available from: 
http://www.linksys.com/download/firmware.asp

Netgear ME102 Access Point:
Download the update when it becomes available from:
http://www.netgear.com/customer_services.asp

ISS RealSecure and ISS Internet Scanner have been upgraded with the most
comprehensive 802.11b wireless vulnerability and threat detection
available. The upcoming Wireless X-Press Updates will provide extensive
coverage for major security issues found in many popular Access Points.
ISS X-Force recommends upgrading to the latest X-Press Updates when they
become available.

ISS Consulting and Managed Security Services (MSS) can provide a variety
of wireless security offerings including security health checks,
wireless security policy, wireless architecture design, and managed
wireless network protection. 

ISS SecureU is offering educational courses on 802.11 wireless security.  

Please refer to the following URL for more information:
http://www.iss.net/wireless

Additional Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2001-0514 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems. 

Credits:

This vulnerability was discovered and researched by Kevin Chou of the
ISS X-Force. Internet Security Systems would like to thank Atmel for
their response and handling of this vulnerability.

______

About Internet Security Systems (ISS) 

Internet Security Systems is the leading global provider of security 
management solutions for the Internet, protecting digital assets and 
ensuring safe and uninterrupted e-business. With its industry-leading 
intrusion detection and vulnerability assessment, remote managed 
security services, and strategic consulting and education offerings, ISS
is a trusted security provider to more than 8,000 customers worldwide
including 21 of the 25 largest U.S. commercial banks and the top 10 U.S. 
telecommunications companies. Founded in 1994, ISS is headquartered in 
Atlanta, GA, with additional offices throughout North America and 
international operations in Asia, Australia, Europe, Latin America and
the Middle East. For more information, visit the Internet Security 
Systems web site at www.iss.net or call 888-901-7477.


Copyright (c) 2001 Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part of
this Alert in any other medium excluding electronic medium, please
e-mail xforce@iss.net for permission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in 
connection with the use or spread of this information. Any use of this
information is at the user's own risk.


X-Force PGP Key available at: http://xforce.iss.net/sensitive.php
as well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force
xforce@iss.net of Internet Security Systems, Inc.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBOzEA2TRfJiV99eG9AQHmRAP9Gv4Sm37KqwLL6EG+x5ymYIDyf0tGb9n9
srTHxClq1cQGBcm+I4K8lIxiW9GHWwLMOSPlKLQmAXmFGVW+NafEieWwaJmW0O02
R1Fh+78bpuTXV9wa5Q+CeX0UnBmDwiSn3vT5YtpjpZKHaWBSEr3ngK6zaHQsQZlz
g2OHV7yhbqA=
=Ft4r
-----END PGP SIGNATURE-----


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC