VIGILANTe Security Watch Advisory
Name: Cisco Aironet AP 1100 Malformed HTTP Request
Crash Vulnerability
Systems Affected: Tested on a Cisco Aironet AP1100 Model 1120B Series Wireless device.
Firmware version 12.2(4)JA and earlier.
Severity: High Risk
Vendor URL: http://www.vigilante.com
Authors: Reda Zitouni ([EMAIL PROTECTED])
Date: 28th July 2003
Advisory Code: VIGILANTE-2003001
Systems Affected: Tested on a Cisco Aironet AP1100 Model 1120B Series Wireless device.
Firmware version 12.2(4)JA and earlier.
Severity: High Risk
Vendor URL: http://www.vigilante.com
Authors: Reda Zitouni ([EMAIL PROTECTED])
Date: 28th July 2003
Advisory Code: VIGILANTE-2003001
Description
***********
Cisco Aironet 1100 Series Access Point is a device manufactured by Cisco Systems offering a WLAN solution based on the 802.11b Wifi standard.
The Arionet Bridge is vulnerable to a denial of service.This can be exploited remotely by an attacker. No user login or password is necessary.
***********
Cisco Aironet 1100 Series Access Point is a device manufactured by Cisco Systems offering a WLAN solution based on the 802.11b Wifi standard.
The Arionet Bridge is vulnerable to a denial of service.This can be exploited remotely by an attacker. No user login or password is necessary.
Details
*******
*******
It is possible to cause Cisco Aironet Access Point
to crash and reboot if the HTTP server feature is enabled. This can be
accomplished by submitting a specially crafted request to the web server. There
is no need to authenticate to perform this attack, only access to the web server
is required. The Aironet bridge reboots upon receiving the request and failing
to handle correctly this one. Afterwards, no further access to the WLAN or its
services is possible.
Vendor status:
**************
Cisco was contacted June 19, 2003 and answered the same day. 5 days later, they told us that they would release a patch soon. The patch was finally released July 3, 2003.
**************
Cisco was contacted June 19, 2003 and answered the same day. 5 days later, they told us that they would release a patch soon. The patch was finally released July 3, 2003.
Vulnerability Assessment:
A test case to detect this vulnerability was added to SecureScan NX in the upgrade package of July 28, 2003. You can see the documentation of this test case 17655 on SecureScan NX web site at http://securescannx.vigilante.com/tc/17655 .
Fix: A firmware upgrading the Aironet IOS version to c1100-k9w7 has been released by Cisco. Please note that this version fixes some other bugs as TC 15438 (refer to release note).
A test case to detect this vulnerability was added to SecureScan NX in the upgrade package of July 28, 2003. You can see the documentation of this test case 17655 on SecureScan NX web site at http://securescannx.vigilante.com/tc/17655 .
Fix: A firmware upgrading the Aironet IOS version to c1100-k9w7 has been released by Cisco. Please note that this version fixes some other bugs as TC 15438 (refer to release note).
Workaround:
***********
1. If not needed - disable access to the web feature on the Aironet Bridge.
2. If needed - restrict access to the HTTP service for outside connections.
CVE: Common Vulnerabilities and Exposures group ( reachable at http://cve.mitre.org/ ) was contacted and assigned CAN-2003-0511 to this vulnerability.
***********
1. If not needed - disable access to the web feature on the Aironet Bridge.
2. If needed - restrict access to the HTTP service for outside connections.
CVE: Common Vulnerabilities and Exposures group ( reachable at http://cve.mitre.org/ ) was contacted and assigned CAN-2003-0511 to this vulnerability.
Links:
*****
Cisco Advisory: http://www.cisco.com/warp/public/707/cisco-sa-20030728-ap1x00.shtml
Vigilante Advisory: http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003001.htm
Product Homepage: http://www.cisco.com/warp/public/cc/pd/witc/ps4570
CVE: CAN-2003-0511 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CAN-2003-0511
*****
Cisco Advisory: http://www.cisco.com/warp/public/707/cisco-sa-20030728-ap1x00.shtml
Vigilante Advisory: http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003001.htm
Product Homepage: http://www.cisco.com/warp/public/cc/pd/witc/ps4570
CVE: CAN-2003-0511 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CAN-2003-0511
Credit:
******
This vulnerability was discovered by Reda Zitouni, member of our Security Watch Team at VIGILANTe.
We wish to thank Cisco PSIRT Team for their fast answer to fix this problem.
Copyright VIGILANTe.com, Inc. 2003-07-28
Disclaimer:
**********
The information within this document may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any consequences whatsoever arising out of or in connection with the use or spread of this information. Any use of this information lays within the user's responsibility.
**********
The information within this document may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any consequences whatsoever arising out of or in connection with the use or spread of this information. Any use of this information lays within the user's responsibility.