Izdana je revizija sigurnosnog upozorenja koje opisuje propust u WPS (eng. Wi-Fi Protected Setup) protokolu kod Cisco uređaja koji rade u PIN External Registrar (PIN-ER) modu. Propust omogućuje udaljenom napadaču neovlašteni pristup sustavu.
| Paket: | |
| Operacijski sustavi: | Cisco Wireless Control System (WCS) |
| Problem: | nepravilno rukovanje lozinkama |
| Iskorištavanje: | udaljeno |
| Posljedica: | neovlašteni pristup sustavu |
| Rješenje: | zaobilazno rješenje (workaround) |
| Izvorni ID preporuke: | 690 |
| Izvor: | Cisco |
| Problem: | |
| Propust je uzrokovan nesigurnim korištenjem lozinke kao metode autentifikacije u WPS (eng. Wi-Fi Protected Setup) protokolu. Zbog predvidljivih lozinki, napadač može lozinku pogoditi relativno brzo koristeći brute-force napad. |
|
| Posljedica: | |
| Udaljeni napadač može u kratkom vremenu pogoditi lozinku nakon čega ima neovlašteni pristup sustavu. |
|
| Rješenje: | |
| Kao metoda zaštite preporuča se isključivanje WPS značajke. |
|
Izvorni tekst preporuke
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Document ID: 690
Revision 1.1
Last Updated on 2012 January 11 16:50 UTC (GMT)
For Public Release 2012 January 11 16:00 UTC (GMT)
+--------------------------------------------------------------------
Cisco Response
==============
On December 27th, 2011 US-CERT released VU#723755 available here:
http://www.kb.cert.org/vuls/id/723755
The US-CERT Vulnerability Note describes a vulnerability that exists
in the Wi-Fi Alliance Wi-Fi Protected Setup (WPS) protocol, also
known as Wi-Fi Simple Config, when devices are operating in PIN
External Registrar (PIN-ER) mode. Devices operating in PIN-ER mode
allow a WPS capable client to supply only the correct WPS PIN to
configure their client on a properly secured network. A weakness in
the protocol affects all devices that operate in the PIN-ER mode, and
may allow an unauthenticated, remote attacker to brute force the WPS
configuration PIN in a short amount of time.
The vulnerability is due to a flaw that allows an attacker to
determine when the first 4-digits of the eight-digit PIN are known.
This effectively reduces the PIN space from 10^7 or 10,000,000
possible values to 10^4 + 10^3 which is 11,000 possible values. The
eighth digit of the PIN is utilized as a checksum of the first 7
digits and does not contribute to the available PIN space. Because
the PIN space has been significantly reduced, an attacker could brute
force the WPS pin in as little as a few hours.
While the affected devices listed below implement the WPS 1.0
standard which requires that a 60-second lockout be implemented after
three unsuccessful attempts to authenticate to the device, this does
not substantially mitigate this issue as it only increases the time
to exploit the protocol weakness from a few hours to at most several
days. It is our recommendation to disable the WPS feature to prevent
exploitation of this vulnerability.
Vulnerable Products:
+-------------------
+-------------------------------------------------------------------+
| Product | Is the WPS feature | Can the WPS feature be |
| Name | enabled by default? | permanently disabled? |
|-------------------------------------------------------------------|
| Access Points |
|-------------------------------------------------------------------|
| Cisco | Yes | Yes |
| WAP4410N | | |
|-------------------------------------------------------------------|
| Unified Communications |
|-------------------------------------------------------------------|
| Cisco | Yes | No |
| UC320W | | |
|-------------------------------------------------------------------|
| Wireless Routers/VPN/Firewall Devices |
|-------------------------------------------------------------------|
| Cisco | Yes | Yes |
| RV110W | | |
|-----------+-------------------------+-----------------------------|
| Cisco | No | Yes |
| RV120W | | |
|-----------+-------------------------+-----------------------------|
| Cisco | Yes | Yes |
| SRP521W | | |
|-----------+-------------------------+-----------------------------|
| Cisco | Yes | Yes |
| SRP526W | | |
|-----------+-------------------------+-----------------------------|
| Cisco | Yes | Yes |
| SRP527W | | |
|-----------+-------------------------+-----------------------------|
| Cisco | Yes | Yes |
| SRP541W | | |
|-----------+-------------------------+-----------------------------|
| Cisco | Yes | Yes |
| SRP546W | | |
|-----------+-------------------------+-----------------------------|
| Cisco | Yes | Yes |
| SRP547W | | |
|-----------+-------------------------+-----------------------------|
| Cisco | Yes | Yes |
| WRP400 | | |
+-------------------------------------------------------------------+
Note: The Cisco Valet product line is maintained by the Cisco Linksys
Business Unit. Information concerning the Cisco Valet line as well as
information on Linksys by Cisco products will be forthcoming.
Products Confirmed Not Vulnerable:
+---------------------------------
+-------------------------------------------------------------------+
| Product Name | Not Affected Reason |
|-------------------------------------------------------------------|
| Access Points/Wireless Bridges |
|-------------------------------------------------------------------|
| Cisco AP541N | Does not support WPS |
|-------------------------------+-----------------------------------|
| Cisco WAP200 | Does not support WPS |
|-------------------------------+-----------------------------------|
| Cisco WAP200E | Does not support WPS |
|-------------------------------+-----------------------------------|
| Cisco WAP2000 | Does not support WPS |
|-------------------------------+-----------------------------------|
| Cisco WET200 | Does not support WPS |
|-------------------------------------------------------------------|
| Unified Communications |
|-------------------------------------------------------------------|
| Cisco UC500 Series | Does not support WPS |
|-------------------------------------------------------------------|
| Wireless Cameras |
|-------------------------------------------------------------------|
| Cisco WVC210 | Does not support WPS |
|-------------------------------+-----------------------------------|
| Cisco WVC2300 | Does not support WPS |
|-------------------------------------------------------------------|
| Wireless Routers/VPN/Firewall Devices |
|-------------------------------------------------------------------|
| | WPS not enabled by default |
| Cisco SA520W | Does not support PIN-ER |
| | configuration Mode |
|-------------------------------+-----------------------------------|
| Cisco RV220W | Does not support WPS |
|-------------------------------+-----------------------------------|
| Cisco WRV210 | Does not support WPS |
|-------------------------------+-----------------------------------|
| Cisco WRVS4400N | Does not support WPS |
+-------------------------------------------------------------------+
Additional Information
======================
Workarounds:
+-----------
Disable the Wi-Fi Protected Setup feature on devices that allow the
feature to be disabled, as listed in the Vulnerable Products table.
Cisco Systems has verified that the products that support disabling
the WPS feature do indeed disable it and are not vulnerable once the
feature has been disabled from the management interface.
Fixed Software:
+--------------
+-------------------------------------------------------------------+
| Product Name | Fixed Software |
|--------------------------------+----------------------------------|
| Cisco WAP4410 | To Be Released |
|--------------------------------+----------------------------------|
| Cisco RV110W | To Be Released |
|--------------------------------+----------------------------------|
| Cisco RV120W | To Be Released |
|--------------------------------+----------------------------------|
| Cisco UC320W | To Be Released |
|--------------------------------+----------------------------------|
| Cisco SRP521W | To Be Released |
|--------------------------------+----------------------------------|
| Cisco SRP526W | To Be Released |
|--------------------------------+----------------------------------|
| Cisco SRP527W | To Be Released |
|--------------------------------+----------------------------------|
| Cisco SRP541W | To Be Released |
|--------------------------------+----------------------------------|
| Cisco SRP546W | To Be Released |
|--------------------------------+----------------------------------|
| Cisco SRP547W | To Be Released |
|--------------------------------+----------------------------------|
| Cisco WRP400 | To Be Released |
+-------------------------------------------------------------------+
Note: The Cisco Valet product line is maintained by the Cisco Linksys
Business Unit. Information concerning the Cisco Valet line as well as
information on Linksys by Cisco products will be forthcoming.
Exploitation and Public Announcements:
======================================
Exploit code and functional attack tools that exploit the weakness
within the WPS protocol have been released.
This vulnerability was discovered by Stefan Viehbock and Craig
Heffner.
Status of this Notice: Final
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Revision History
+-------------------------------------------------------------------+
| Revision | | Corrected text mistakes in |
| 1.1 | 2012-January-11 | researcher's name and Revision |
| | | History table. |
|----------+-----------------+--------------------------------------|
| Revision | 2012-January-11 | Initial draft |
| 1.0 | | |
+-------------------------------------------------------------------+
Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2012 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iF4EAREIAAYFAk8OGPUACgkQQXnnBKKRMNBt3wD9FQrfOanLXGhswmxGTG+HZgpK
4TyejsdsIGwBQ5c7Ki8A/jb62yqtw08UHt2+a4CC9TJmbbxXBl9ByQJ3XoX49/EX
=DW5P
-----END PGP SIGNATURE-----
_______________________________________________
cust-security-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
To unsubscribe, send the command "unsubscribe" in the subject of your message to
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
Posljednje sigurnosne preporuke