Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.0051 Cisco Security Response: Wi-Fi Protected Setup PIN Brute Force Vulnerability 12 January 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Wi-Fi Protected Setup (WPS) Publisher: Cisco Systems Operating System: Cisco Impact/Access: Reduced Security -- Remote/Unauthenticated Resolution: Mitigation Reference: ESB-2012.0029 Original Bulletin: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wps Comment: This bulletin is Cisco's response to the US-CERT vulnerability note #723755 (AusCERT bulletin ESB-2012.0029). Cisco are recommending the best solution is to disable WPS. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Document ID: 690 Revision 1.1 Last Updated on 2012 January 11 16:50 UTC (GMT) For Public Release 2012 January 11 16:00 UTC (GMT) +-------------------------------------------------------------------- Cisco Response ============== On December 27th, 2011 US-CERT released VU#723755 available here: http://www.kb.cert.org/vuls/id/723755 The US-CERT Vulnerability Note describes a vulnerability that exists in the Wi-Fi Alliance Wi-Fi Protected Setup (WPS) protocol, also known as Wi-Fi Simple Config, when devices are operating in PIN External Registrar (PIN-ER) mode. Devices operating in PIN-ER mode allow a WPS capable client to supply only the correct WPS PIN to configure their client on a properly secured network. A weakness in the protocol affects all devices that operate in the PIN-ER mode, and may allow an unauthenticated, remote attacker to brute force the WPS configuration PIN in a short amount of time. The vulnerability is due to a flaw that allows an attacker to determine when the first 4-digits of the eight-digit PIN are known. This effectively reduces the PIN space from 10^7 or 10,000,000 possible values to 10^4 + 10^3 which is 11,000 possible values. The eighth digit of the PIN is utilized as a checksum of the first 7 digits and does not contribute to the available PIN space. Because the PIN space has been significantly reduced, an attacker could brute force the WPS pin in as little as a few hours. While the affected devices listed below implement the WPS 1.0 standard which requires that a 60-second lockout be implemented after three unsuccessful attempts to authenticate to the device, this does not substantially mitigate this issue as it only increases the time to exploit the protocol weakness from a few hours to at most several days. It is our recommendation to disable the WPS feature to prevent exploitation of this vulnerability. Vulnerable Products: +------------------- +-------------------------------------------------------------------+ | Product | Is the WPS feature | Can the WPS feature be | | Name | enabled by default? | permanently disabled? | |-------------------------------------------------------------------| | Access Points | |-------------------------------------------------------------------| | Cisco | Yes | Yes | | WAP4410N | | | |-------------------------------------------------------------------| | Unified Communications | |-------------------------------------------------------------------| | Cisco | Yes | No | | UC320W | | | |-------------------------------------------------------------------| | Wireless Routers/VPN/Firewall Devices | |-------------------------------------------------------------------| | Cisco | Yes | Yes | | RV110W | | | |-----------+-------------------------+-----------------------------| | Cisco | No | Yes | | RV120W | | | |-----------+-------------------------+-----------------------------| | Cisco | Yes | Yes | | SRP521W | | | |-----------+-------------------------+-----------------------------| | Cisco | Yes | Yes | | SRP526W | | | |-----------+-------------------------+-----------------------------| | Cisco | Yes | Yes | | SRP527W | | | |-----------+-------------------------+-----------------------------| | Cisco | Yes | Yes | | SRP541W | | | |-----------+-------------------------+-----------------------------| | Cisco | Yes | Yes | | SRP546W | | | |-----------+-------------------------+-----------------------------| | Cisco | Yes | Yes | | SRP547W | | | |-----------+-------------------------+-----------------------------| | Cisco | Yes | Yes | | WRP400 | | | +-------------------------------------------------------------------+ Note: The Cisco Valet product line is maintained by the Cisco Linksys Business Unit. Information concerning the Cisco Valet line as well as information on Linksys by Cisco products will be forthcoming. Products Confirmed Not Vulnerable: +--------------------------------- +-------------------------------------------------------------------+ | Product Name | Not Affected Reason | |-------------------------------------------------------------------| | Access Points/Wireless Bridges | |-------------------------------------------------------------------| | Cisco AP541N | Does not support WPS | |-------------------------------+-----------------------------------| | Cisco WAP200 | Does not support WPS | |-------------------------------+-----------------------------------| | Cisco WAP200E | Does not support WPS | |-------------------------------+-----------------------------------| | Cisco WAP2000 | Does not support WPS | |-------------------------------+-----------------------------------| | Cisco WET200 | Does not support WPS | |-------------------------------------------------------------------| | Unified Communications | |-------------------------------------------------------------------| | Cisco UC500 Series | Does not support WPS | |-------------------------------------------------------------------| | Wireless Cameras | |-------------------------------------------------------------------| | Cisco WVC210 | Does not support WPS | |-------------------------------+-----------------------------------| | Cisco WVC2300 | Does not support WPS | |-------------------------------------------------------------------| | Wireless Routers/VPN/Firewall Devices | |-------------------------------------------------------------------| | | WPS not enabled by default | | Cisco SA520W | Does not support PIN-ER | | | configuration Mode | |-------------------------------+-----------------------------------| | Cisco RV220W | Does not support WPS | |-------------------------------+-----------------------------------| | Cisco WRV210 | Does not support WPS | |-------------------------------+-----------------------------------| | Cisco WRVS4400N | Does not support WPS | +-------------------------------------------------------------------+ Additional Information ====================== Workarounds: +----------- Disable the Wi-Fi Protected Setup feature on devices that allow the feature to be disabled, as listed in the Vulnerable Products table. Cisco Systems has verified that the products that support disabling the WPS feature do indeed disable it and are not vulnerable once the feature has been disabled from the management interface. Fixed Software: +-------------- +-------------------------------------------------------------------+ | Product Name | Fixed Software | |--------------------------------+----------------------------------| | Cisco WAP4410 | To Be Released | |--------------------------------+----------------------------------| | Cisco RV110W | To Be Released | |--------------------------------+----------------------------------| | Cisco RV120W | To Be Released | |--------------------------------+----------------------------------| | Cisco UC320W | To Be Released | |--------------------------------+----------------------------------| | Cisco SRP521W | To Be Released | |--------------------------------+----------------------------------| | Cisco SRP526W | To Be Released | |--------------------------------+----------------------------------| | Cisco SRP527W | To Be Released | |--------------------------------+----------------------------------| | Cisco SRP541W | To Be Released | |--------------------------------+----------------------------------| | Cisco SRP546W | To Be Released | |--------------------------------+----------------------------------| | Cisco SRP547W | To Be Released | |--------------------------------+----------------------------------| | Cisco WRP400 | To Be Released | +-------------------------------------------------------------------+ Note: The Cisco Valet product line is maintained by the Cisco Linksys Business Unit. Information concerning the Cisco Valet line as well as information on Linksys by Cisco products will be forthcoming. Exploitation and Public Announcements: ====================================== Exploit code and functional attack tools that exploit the weakness within the WPS protocol have been released. This vulnerability was discovered by Stefan Viehbock and Craig Heffner. Status of this Notice: Final ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Revision History +-------------------------------------------------------------------+ | Revision | | Corrected text mistakes in | | 1.1 | 2012-January-11 | researcher's name and Revision | | | | History table. | |----------+-----------------+--------------------------------------| | Revision | 2012-January-11 | Initial draft | | 1.0 | | | +-------------------------------------------------------------------+ Cisco Security Procedures Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2012 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- - -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iF4EAREIAAYFAk8OGPUACgkQQXnnBKKRMNBt3wD9FQrfOanLXGhswmxGTG+HZgpK 4TyejsdsIGwBQ5c7Ki8A/jb62yqtw08UHt2+a4CC9TJmbbxXBl9ByQJ3XoX49/EX =DW5P - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBTw4mS+4yVqjM2NGpAQKW7w//R7g0ZUfg61p6iOVZLy7HZ6oAy8XcxF4R 0iJaemn569Us/UA8Sn9aCxxQ7B2im0cTEsBwFQUyT60oD5XHkDjEP70BR1BkJUzc mbLzB5GWSpZv3FrSQ6kcCufZfByWYnVFObJqyKTV3MxUy+hedY34g2f6DVrdURc3 pe41IeT0lpm/SVACGbGdtjGhR79DvvMkf8aZP2uhGM45boK58soVW+lEQnxDZ9Wc 9F78cFhtOTYUR0VjbNFARDSUa+8UVNGq+Xsx9Y8xXZeHMaT22/gpcJLgMrTC9tDT +r+SmYQ0ghHOq3f/ZLHG5aMY2spY5HoXidTKWsJna/PZpWZ6GGfYsSjeXMHcf5wD z7U/SbZRGRGe9NHrd2f0fjRq3SAbZyGSX2ETIwbPCDvKPMfB1QHoASwWQYoKSHHy 39tEBwN+Yez2FTexmIQamyrZb4QTzPsBxZOxaxf1snDMcFKS7tOZsDURmKN/plFz SigTqEaSlKTAVnNznLEm9mbdOW3u8+yj54uBGHweWs4wvp6ry+n3G16qoWJZXW2G 6L+uqG5dH3ewyUS2Tc7T0uIbc0tqCj8lfgPdpYsAyGqII81Rww+fDQIsp76eMdB8 e7KZOYL+1GONFKSWhhVrw9UX4Ahztldf3ng5ua54Qi7vtQ8fxl6RYw0/38D09eRY uR4irEYpkmY= =0eMX -----END PGP SIGNATURE-----