MY80211.com

Note the WPS vulnerability is with home and soho devices and not with Cisco enterprise gear. Note the models below:

Cisco Response

On December 27th, 2011 US-CERT released VU#723755 available here: http://www.kb.cert.org/vuls/id/723755

The US-CERT Vulnerability Note describes a vulnerability that exists in the Wi-Fi Alliance Wi-Fi Protected Setup (WPS) protocol, also known as Wi-Fi Simple Config, when devices are operating in PIN External Registrar (PIN-ER) mode.  Devices operating in PIN-ER mode allow a WPS capable client to supply only the correct WPS PIN to configure their client on a properly secured network.  A weakness in the protocol affects all devices that operate in the PIN-ER mode, and may allow an unauthenticated, remote attacker to brute force the WPS configuration PIN in a short amount of time.

The vulnerability is due to a flaw that allows an attacker to determine when the first 4-digits of the eight-digit PIN are known.  This effectively reduces the PIN space from 10⁷ or 10,000,000 possible values to 10⁴ + 10³ which is 11,000 possible values. The eighth digit of the PIN is utilized as a checksum of the first 7 digits and does not contribute to the available PIN space. Because the PIN space has been significantly reduced, an attacker could brute force the WPS pin in as little as a few hours.

While the affected devices listed below implement the WPS 1.0 standard which requires that a 60-second lockout be implemented after three unsuccessful attempts to authenticate to the device, this does not substantially mitigate this issue as it only increases the time to exploit the protocol weakness from a few hours to at most several days.  It is our recommendation to disable the WPS feature to prevent exploitation of this vulnerability.

Vulnerable Products:

Note: The Cisco Valet product line is maintained by the Cisco Linksys Business Unit. Information concerning the Cisco Valet line as well as information on Linksys by Cisco products will be forthcoming.

Products Confirmed Not Vulnerable:

Additional Information

Workarounds:

Disable the Wi-Fi Protected Setup feature on devices that allow the feature to be disabled, as listed in the Vulnerable Products table.  Cisco Systems has verified that the products that support disabling the WPS feature do indeed disable it and are not vulnerable once the feature has been disabled from the management interface.

Fixed Software:

Note: The Cisco Valet product line is maintained by the Cisco Linksys Business Unit. Information concerning the Cisco Valet line as well as information on Linksys by Cisco products will be forthcoming.

Exploitation and Public Announcements:

Exploit code and functional attack tools that exploit the weakness within the WPS protocol have been released.

This vulnerability was discovered by Stefan Viehböck and Craig Heffner.

Status of this Notice: Final

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.

Revision History

A more recent bug found on 1.4(1) 792x handset code. Something to take note if you're on this code and using voice on 802.11a

CSCtk58591 Bug Details

792x phone may not reconnect when invalid 5 GHz beacon received
Symptom: 792x phone may not reconnect when invalid 5 GHz beacon received. Conditions: 792x phone going out of range then comes back in range when set to scan 5 GHz. Workaround: Power cycle the phone. Use 802.11b/g only mode.	Status Open Severity 3 - moderate Last Modified In Last 3 Days Product Cisco Unified IP Phone 7900 Series Technology Wireless, Mobile 1st Found-In 1.4(1)
Interpreting This Bug Bug Toolkit provides access to the latest raw bug data so you have the earliest possible knowledge of bugs that may affect your network, avoiding un-necessary downtime or inconvenience. Because you are viewing a live database, sometimes the information provided is not yet complete or adequately documented. To help you interpret this bug data, we suggest the following: This bug has a Moderate severity 3 designation. Things fail under unusual circumstances, or minor features do not work at all, or things fail but there is a low-impact workaround. This is the highest level for documentation bugs. (Bug Toolkit may not provide access to all documentation bugs.) Severity levels are designated by the engineering teams working on the bug. Severity is not an indication of customer priority which is another value used by engineering teams to determine overall customer impact. Bug documentation often assumes intermediate to advanced troubleshooting and diagnosis knowledge. Novice users are encouraged to seek fully documented support documents and/or utilize other support options available.

End-of-Sale and End-of-Life Announcement for the Cisco 2100 Series Wireless LAN Controllers
Url: http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps7206/ps7221/end_of_life_notice_c51-691053.html
Description: Cisco announces the end-of-sale and end-of-life dates for the Cisco 2100 Series Wireless LAN Controllers. The last day to order the affected product(s) is May 2, 2012. Customers with active service contracts will continue to receive support from the Cisco Technical Assistance Center (TAC) as shown in Table 1 of the EoL bulletin. Table 1 describes the end-of-life milestones, definitions, and dates for the affected product(s). Table 2 lists the product part numbers affected by this announcement. For customers with active and paid service and support contracts, support will be available until the termination date of the contract, even if this date exceeds the Last Date of Support shown in Table 1.
Date: 2011-11-04 16:30:00.0

Title: End-of-Sale and End-of-Life Announcement for the Cisco Aironet 1520 Series
Url: http://www.cisco.com/en/US/prod/collateral/wireless/ps5679/ps8368/end_of_life_notice_c51-688859.html
Description: Cisco announces the end-of-sale and end-of-life dates for the Cisco Aironet 1520 Series. The last day to order the affected product(s) is March 30, 2012. Customers with active service contracts will continue to receive support from the Cisco Technical Assistance Center (TAC) as shown in Table 1 of the EoL bulletin. Table 1 describes the end-of-life milestones, definitions, and dates for the affected product(s). Table 2 lists the product part numbers affected by this announcement. For customers with active and paid service and support contracts, support will be available until the termination date of the contract, even if this date exceeds the Last Date of Support shown in Table 1.
Date: 2011-09-30 15:05:00.0

Title: End-of-Sale and End-of-Life Announcement for the Cisco Aironet 1400 Series
Url: http://www.cisco.com/en/US/prod/collateral/wireless/ps5679/ps5279/end_of_life_notice_c51-689032.html
Description: Cisco announces the end-of-sale and end-of-life dates for the Cisco Aironet 1400 Series. The last day to order the affected product(s) is December 30, 2011. Customers with active service contracts will continue to receive support from the Cisco Technical Assistance Center (TAC) as shown in Table 1 of the EoL bulletin. Table 1 describes the end-of-life milestones, definitions, and dates for the affected product(s). Table 2 lists the product part numbers affected by this announcement. For customers with active and paid service and support contracts, support will be available until the termination date of the contract, even if this date exceeds the Last Date of Support shown in Table 1.
Date: 2011-10-20 12:53:00.0

DONT PING YOUR CISCO WLCs! LOL

Document ID: 112916

Advisory ID: cisco-sa-20110427-wlc

http://www.cisco.com/warp/public/707/cisco-sa-20110427-wlc.shtml

Revision 1.0

For Public Release 2011 April 27 1600 UTC (GMT)

Contents

Summary
Affected Products
Details
Vulnerability Scoring Details
Impact
Software Versions and Fixes
Workarounds
Obtaining Fixed Software
Exploitation and Public Announcements
Status of this Notice: FINAL
Distribution
Revision History
Cisco Security Procedures

Summary

The Cisco Wireless LAN Controller (WLC) product family is affected by a denial of service (DoS) vulnerability where an unauthenticated attacker could cause a device reload by sending a series of ICMP packets.

Cisco has released free software updates that address this vulnerability.

There are no available workarounds to mitigate this vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110427-wlc.shtml.

[Expand all sections]     [Collapse all sections]

Affected Products

Vulnerable Products

This vulnerability affects Cisco WLC software versions 6.0 and later. The following products are affected by the vulnerability described in this Security Advisory:

• Cisco 2100 Series Wireless LAN Controllers
• Cisco WLC526 Mobility Express Controller (AIR-WLC526-K9)
• Cisco NME-AIR-WLC Modules for Integrated Services Routers (ISRs)
• Cisco NM-AIR-WLC Modules for Integrated Services Routers (ISRs)

Note: The Cisco NM-AIR-WLC have reached End-of-Life and End-of-Software Maintenance. Please refer to the following document for more information:

http://www.cisco.com/en/US/prod/collateral/modules/ps2797/prod_end-of-life_notice0900aecd806aeb34.html



We are deploying thosands of Cisco 7925 handsets with Wavelink. After extensive testing I discovered that I could not get the phone to reboot after a profile push. I reached out to Wesley Terry (Cisco's Escalation Team) and BAM! He delivers for me ... Thanks Wesley !



I was working with a colleague when I noticed the WLAN Summary Display on the WLC showed NO clients, when we knew there was indeed clients. In fact when you hit the client page there was over 100 clients on the controller.

After looking at another controller the WLAN Summary Display showed 30,000+ clients, again we knew this wasn't accurate. After speaking with a Cisco SE we discovered there is a bug in 7.0.98.0, "WLAN summary display defect causing wrong count to be displayed, defect number CSCth52309" 

This bug is fixed in 7.0.114.51 or greater.

As of this post this BUG was not in the bug tool kit. However it comes from a very reliable Cisco SE.

If you are using Cisco ACS 5.1 or 5.2 and you use EAP-PEAP with MSCHAP v2 you should be aware of bug CSCth66302. It’s nasty and could impact your wireless network.

If you leverage EAP-PEAP MS-CHAPv2 in your environment and you are using Cisco ACS version 5.1 or 5.2 you need to be aware of this bug!

The bug we hit was CSCth66302 and it wasn’t pretty. As wireless clients attempted to authenticate the Cisco ACS responded with client failures, thus not authenticating the clients. When you looked at the ACS logs you would immediately see “Radius Authentication Request Rejected due to critical logging error”   in nice big red letters! When you looked at the WLC the logs showed all the EAP-PEAP clients failing authentication.

Interestingly enough, the Cisco WLC NEVER moved to the back up ACS, which was configured under the WLAN. Why? Because the local ACS sever (which was failing) still responded to the client via the WLC. As far as the WLC was concerned, the ACS responded and life was good!

 The Temporary Work Around from TAC

If you still get these messages the workaround is to restart ACS runtime service from the CLI:-

# acs stop runtime
# acs start runtime

Fix Coming in Release 5.3

Cisco TAC stated a fix will be released in ACS 5.3, which is yet to be released.

BUG Information 

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/release/notes/acs_52_rn.html  

Title: End-of-Sale and End-of-Life Announcement for the Cisco 3350 Mobility Services Engine

Url: http://www.cisco.com/en/US/prod/collateral/wireless/ps9733/ps9742/end_of_life_notice_c51-643839.html

Description: Cisco announces the end-of-sale and end-of-life dates for the Cisco® 3350 Mobility Services Engine. The last day to order the affected product(s) is June 5, 2011. Customers with active service contracts will continue to receive support from the Cisco Technical Assistance Center (TAC) as shown in Table 1 of the EoL bulletin. Table 1 describes the end-of-life milestones, definitions, and dates for the affected product(s). Table 2 lists the product part numbers affected by this announcement. For customers with active and paid service and support contracts, support will be available until the termination date of the contract, even if this date exceeds the Last Date of Support shown in Table 1.
Date: 2011-03-07 09:00:00.0

Title: End-of-Sale and End-of-Life Announcement for the Cisco Catalyst 3750 Series Integrated Wireless LAN Controllers

Description: Cisco announces the end-of-sale and end-of life dates for the Cisco Catalyst 3750 Series Integrated Wireless LAN Controllers. The last day to order the affected product(s) is June 13, 2011. Customers with active service contracts will continue to receive support from the Cisco Technical Assistance Center (TAC) as shown in Table 1 of the EoL bulletin.

Table 1 describes the end-of-life milestones, definitions, and dates for the affected product(s). Table 2 lists the product part numbers affected by this announcement. For customers with active and paid service and support contracts, support will be available until the termination date of the contract, even if this date exceeds the Last Date of Support shown in Table 1.
Date: 2010-12-13 09:00:00.0

http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps7185/ps6915/end_of_life_notice_c51-634675.html

Here is the official announcement from Cisco on the EOS / EOL of the Cisco 4400 controller

Title: End-of-Sale and End-of-Life Announcement for the Cisco 4400 Series Wireless LAN Controllers

Description: Cisco announces the end-of-sale and end-of life dates for the Cisco 4400 Series Wireless LAN Controllers.

The last day to order the affected product(s) is June 13, 2011. Customers with active service contracts will continue to receive support from the Cisco Technical Assistance Center (TAC) as shown in Table 1 of the EoL bulletin. Table 1 describes the end-of-life milestones, definitions, and dates for the affected product(s). Table 2 lists the product part numbers affected by this announcement.

For customers with active and paid service and support contracts, support will be available until the termination date of the contract, even if this date exceeds the Last Date of Support shown in Table 1.
Date: 2010-12-13 09:00:00.0

http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps6366/end_of_life_notice_c51-634665.html

Cisco’s recommend WiSM configuration practice will make you vulnerable – by George Stefanick

I was asked, “The WiSM Config Practice has been out for years, how did you find this ?” The devil is in the details.... 

WiSM Configuration Practice

The initial steps in configuring a Cisco WiSM is what I like to call a “configure-and-forget” step. This is because once the WiSM is configured and married to the backplane of the Sup720 via the “service port” its rare one would need to revisit this procedure again.

There are a number of Cisco WiSM Configuration guides available at cisco.com explaining this process. We will get into these in a bit… 

What is the WiSM “service port”?

First lets understand what the service port interface is and the purpose of the service port. The WiSM service port is one of many ports on a Cisco WiSM. They include the management, ap manager, virtual, service and the operator dynamic interfaces.

•  Management interface (pre-defined and mandatory)
•  AP-Manager interface (pre-defined and mandatory)
•  Virtual interface (pre-defined and mandatory)
•  Service-port interface (pre-defined and mandatory)
•  Operator-defined interface (user-defined)

Cisco’s 4400 and 5500 model controller’s service port is used for out-of-bandwidth management. The service port is a physical port supported on these models, whereby allowing you physical access with a console / null modem cable.

Contrary to the service port on the 4400 and  5500’s models. The WiSM service port is NOT used for out-of-bandwidth management. Rather it is used to synchronize the supervisor engine (720) and the WiSM. 

How does the “service port” on the Cisco WiSM connect to the Sup720?

Once the WiSM is installed, you enter the Sup720 and create a local vlan for the purpose of communications between both the WiSM and the Sup720.  Cisco references vlan 192 in their WiSM config documents, but of course any vlan number can be used. 

Cisco’s WiSM Configuration documentation goes a step further and states to create an SVI interface. An SVI interface is a gateway to bridge traffic. (Here in lies the problem. I will cover in more detail in the next section.)

(See below reference and links to Cisco WiSM configuration Guides, note the SVI interface recommendations and the lack of an ACL) 

The Vulnerability

The Cisco WiSM Configuration Guides detail the creation of an SVI interface for the purpose of the service port interface. For example;

Sup720(config)# interface Vlan 192
Sup720(config-if)# ip address 192.168.10.1 255.255.255.0
Sup720(config-if)# no shutdown
Sup720(config-if)# exit

The Cisco WiSM Guides makes no reference to an ACL which would restrict traffic access to the service port SVI interface. By creating the SVI interface you have a “connected route” from users who terminate to the 6500 to reach the SVI interface. This would include wired and wireless users. Essentially, inside users have access to the WiSM service port. This would also include wireless guest!

Lets follow the packet:

1)     Wireless client pings 192.168.10.1

2)     The packet egresses the wireless client and 802.11 headers are applied

3)     The packet travels via RF

4)     Packet reaches Access Point

5)     Access points encapsulates the packet in a LWAPP/CAPWAP headers

6)     The packet is then sent to the Cisco WiSM / Controller

7)     The WiSM removes the LWAPP/CAPWAP encapsulation and adds 802.3 headers

8)     The WiSM places the packet on the wired

9)     The packet transverses the router to the connected 192.168.10.1 SVI interface

I’m positive this is an oversight by Cisco. Recent conversations with Cisco SE’s, Cisco TAC and other peers agree this is an issue on many levels.

Engineers and Admins who configure the WiSM for the first time or perhaps engineers who have little knowledge would follow the Cisco WiSM Configuration Guide step by step. Not understanding that an ACL needs to be applied to the SVI interface for the WiSM service port. 

Real World Examples:

Lets cover why this is an issue with some real world examples:

Example#1 –

Your inside networks are 10.x.x.x and 172.x.x.x. Your service port on the WiSM is configured for 192.168.10.x network. Users who terminated to the cat / Sup 720 that houses the WiSM has access to the SVI interface 192.168.10.x. Why, because it is a connected route. The traffic will bridge over from 10 / 172  to the 192 network.

Example#2 –

Suppose you don’t have a Cisco WLC to anchor guest traffic. Your wireless guest traffic terminates to the  cat / Sup720 that houses the WiSM. Let suppose you ACL your "GUEST" SVI interface denying your known inside networks. You think you are done and call it a day.

DENY 10.0.0.0 (inside network)

But did you remember to deny 192.168.10.x? If you didn’t your wireless guest now have access to your service port

How to Fix it:

If you configured an SVI interface. Simply ACL the SVI not to allow ANY network access to this SVI interface.  

Conclusion:

I admit this isn’t a five-alarm hole. You don’t have to drop everything you are doing.  But it is one that needs to be addressed if you followed Cisco WiSM Configuration Guides.

Cisco links to WiSM Config

http://www.cisco.com/en/US/docs/wireless/technology/wism/technical/reference/appnote.html

! - Create a vlan in the Supervisor 720, this vlan is local to the chassis and is used for

communication between Cisco WiSM and Catalyst Supervisor 720 over a Gigabit interface on

the Supervisor and service-port in the Cisco WiSM. 

Sup720(config)# vlan 192 

! -- Assign an appropriate IP address and subnet mask for VLAN 192 

Sup720(config)# interface Vlan 192

Sup720(config-if)# ip address 192.168.10.1 255.255.255.0

Sup720(config-if)# no shutdown

Sup720(config-if)# exit

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a00808330a9.shtml

Create the WiSM Service Port Gateway and assign the IP address.

Create a VLAN in the Supervisor 720. This VLAN is local to the chassis and is used for communication between Cisco WiSM and Catalyst Supervisor 720 over a Gigabit Interface on the Supervisor and a service port in the Cisco WiSM.

interface Vlan192 

Description WiSM Service Port Gateway or Management Interface on CAT6K

ip address 192.168.10.1 255.255.255.0 

Cisco released a WCS vulnerability last week

Vocera is reporting connectivity issues on 6.0.199.0. They went as far as to release a Technical Advisory to customers. Its not clear what the issue is at the moment. 

The Vocera Advisory states:

Vocera is aware of an issue that customers are experiencing after moving to Cisco WLC version 6.0.199 that manifests itself in a substantial increase in difficulty with badge communications to the Vocera Application Server over the network. Badges will display "Searching For Server" or "Searching For AP."

Vocera is working closely with Cisco and its mutual customers on the problem.

Please consult with Vocera Technical Support and Cisco TAC before upgrading to 6.0.199.

Cisco released a new rev in the 6.0 track, 6.0.199.0. Note: this has potential to be MD / AW tagged. Although, I will wait and see what fall out there is based on the previous releases in the 6.0. track.

Look at the resolved caveats. There are some BIG problems resolved with this reelase. 

Note:6.0 is a MD train and 6.0.199.0 is a potential MD / AW release. 6.0.199.0 release will be marked with MD / AW Tag after few weeks of customer adaptation and completion of AW release certification

Cisco has released a new Engineer Special for the 6.x WLC code; 6.0.196.159

You will have to request this code from Cisco TAC as you will not find this on CCO. Cisco TAC stated 6.x release is tagged as software advisory. They are not recommending this code and if you have it installed you should apply the latest Engineer Special release until the 6.x maintenance release is released. The 6.x maintenance release is expected end of July / early August.

If you have 6.x running today Cisco TAC has advised the following path:

1)      Down grade to 5.2.193.0 (ED)

2)      Upgrade to 7.0.98.0 (ED)

3)      Upgrade to 6.0.196.159 (ES) 

AS_4200_6_0_196_159 is a build from 6.0.196.0, and it is an engineering special that resolves the following additional caveats:

CSCta13941 - AP rejecting association request with status code 13

CSCtb02136 - AP with AP Groups and HREAP will not broadcast SSID

CSCtb20125 - CCMP errors on key rotation

CSCtc73503 - Radios are showing Tx power level 0

CSCtd28542 - WLC crash on emWeb due to AP config change

CSCtd97011 - Radio core dump: Neighbor Discovery frames stuck

CSCte19262 - Client Deauthenticated – “Unable to locate AP 00:00:00:00:00:00”

CSCte55219 - radio core dump due to large # of uplink frames in inprog queue

CSCte55458 - Web-Auth: Web page takes a long time to display under heavy load

CSCte62815 - 5508 not passing OSPF Multicast traffic

CSCte78472 - Invalid PHY rate returned on ADDTS response

CSCte81420 - Crash in process: "Dot11 driver "

CSCte89891 - AP doesn't transmit beacons

CSCte92365 - Auto Immune - AP side

CSCte93549 - The dot11a radio not able to pass traffic, tx queue getting filled.

CSCte96140 - Ethernet bridging breaks when the Ethernet interface of AP 1242 flapped

CSCtf23682 - 5508 - AP cannot join with Multicast MAC as gateway (checkpoint)

CSCtf34858 - Clients unable to pass broadcast traffic

CSCtf69598 - Memory leak in AP on CCKM Failure

CSCtc57611 - Delay in Music on Hold on 7925 with HREAP AP CSCtg45014 - CT5508 - CAPWAP Control traffic has incorrect DSCP marking.

CSCtg71658 - Ap power level reset to 0 when upgrading from 5.0 to 6.0.196.158

CSCtd43906 - J: RAP not transmitting after coming up; when shut due to radar

*ENGINEERING SPECIAL USE DISCLAIMER*

The Engineering Special fix supplied herewith is a Temporary Software Module which has undergone limited testing. This temporary software module is provided “AS-IS” without warranty under the terms of the END USER LICENSE FOR THIS PRODUCT. Please use this software at your own risk. The intention for this code fix is for you to use in your production environment until a released version is available.

Catastrophic isn't my words, but Cisco's.  Engineer's beware ...

Client can't transmit traffic if it reassociates to an AP within 20 sec

Cisco released a new rev for the controllers, 4.2.209.0. I'm not really surprised Cisco is still supporting 4.2. There are a number of large healthcare systems still on the 4.2 rev. 

Another special TAC release (1.3.4.0.2) this time for the Cisco 7921G and 7925G IP Phones. I'm told this release is a 'quick fix' for the battery issue discovered in release 1.3.4. 

Sources at TAC mentioned 1.3.5 could be out as early as end of May. Comments were also made that

 1.3.4.0.2, "has been through only basic testing to verify the power consumption issues"