Reset Search
 

 

Article

VN 2018-003 - ExtremeWireless WiNG Vulnerabilities

« Go Back

Vulnerability Notice

 
Vulnerability Summary
A research paper written by IOActive, identifies a weakness in the ExtremeWireless WiNG operating system that under certain conditions can create denial of service or elevated privilege conditions on the WiNG Access Point. To exploit these vulnerabilities, an attacker requires physical and/or LAN connectivity to the Access Point and/or the Wireless Controller, and it is noted that none of the vulnerabilities can be directly exploited over the air. Thanks to the research team at IOActive for identifying and reporting these issues to Extreme Networks.

This vulnerability notice includes advisories on vulnerability disclosures on the following software components within the ExtremeWireless WiNG operating system:
  • RIM (Radio Interface Module) process
  • MINT (Medium Independent Tunneling) Protocol
  • Web User Interface
Extreme Networks will be posting updated firmware that corrects these vulnerabilities within the ExtremeWireless WiNG operating system.
Note that this vulnerability notice will be updated with CVE identifiers for each of these vulnerabilities as they are acquired.
Products Potentially Affected

ExtremeWireless WiNG Controllers and Access Points

Impact Details

1. Vulnerabilities in the RIM component

Vulnerability in the RIM (Radio Interface Module) process running on the WiNG Access Point (AP) could allow a Denial of Service or stack overflow attack from a compromised device connected on the same network.

Following are the noted vulnerabilities:
a) Remote unauthenticated stack overflow in RIM (CVE-2018-5787)
CVSS base score: 5.3 (Medium) (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
b) Remote and unauthenticated denial of service (CVE-2018-5788)
CVSS base score: 7.5 (High) (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Attack: To launch this attack, a malicious user needs access to an unsecured wired port that could give visibility to the network and the target Access Point.  An attack consists of sending several specially crafted packets to the RIM process port that could lead to AP crash.

Scope
Attack / AccessAttacker must have access to the network and RIM process port information
Complexity & PrivilegesNeed network port access and privilege to connect a compromised/malicious device to the network
Impact:  High (service disruption). 
Occurrence: Low, due to network access required to launch an attack
WiNG Versions Affected: All WiNG versions - 5.x, 5.1.x, 5.2.x, 5.3.x, 5.4.x, 5.5.x, 5.6.x, 5.7.x. Applicable fixes are available or pending for 5.8.x and 5.9.x (see below section).
Mitigation: ACL "ip access-list" applied to management policies of devices
 

2. Vulnerabilities in MINT Protocol

Vulnerability in the MINT (Medium Independent Tunnel) Protocol on the WiNG Access Point (AP) could allow a Denial of Service, heap overflow or stack overflow attack from a compromised device connected on the same network. This vulnerability relies on MiNT to MiNT communications.

Following are the noted vulnerabilities:
a) Remote and unauthenticated heap overflow in HSD process over MINT Protocol (CVE-2018-5791, CVE-2018-5792, CVE-2018-5793)
CVSS base score: 3.1 (Low) (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
b) Remote unauthenticated global denial of service in RIM over MINT Protocol (CVE-2018-5790)
CVSS base score: 5.3 (Medium) (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

Attack: To launch this attack, a malicious user needs access to an unsecured wired port that could give visibility to the network and the target Access Point. An attack consists of sending several specially crafted packets over MINT protocol port that could lead to AP crash. To perform this DDoS, an attacker must have access WiNG device that has already been compromised by some other method.

Scope
Attack / AccessAttacker must have access to the network and MINT protocol port information
Complexity & PrivilegesNeed network port access and privilege to connect a compromised/malicious device to the network
Impact:  High (service disruption) 
Occurrence: Low due to network access required to launch an attack
WiNG Versions Affected: All WiNG versions - 5.x, 5.1.x, 5.2.x, 5.3.x, 5.4.x, 5.5.x, 5.6.x, 5.7.x. Applicable fixes are available or pending for 5.8.x and 5.9.x (see below section).
Threat Reduction: ADSP or other IDS system can be configured to identify rogue devices and mitigate at port or WLAN. There is no ACL option for a tactical fix.
 

3. Vulnerabilities in Web User Interface

Vulnerability in the Web User Interface on the WiNG Access Point (AP) / Controller could allow a Denial of Service attack exploiting XML entity expansion vulnerability.

Following are the noted vulnerabilities:
a) Remote and unauthenticated XML entity expansion vulnerability can cause denial of service (CVE-2018-5789)
CVSS base score: 7.5 (High) (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
b) Arbitrary file write from WebGUI (CVE-2018-5795)
CVSS base score: 2.6 (Low) (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N)

Attack: To launch this attack, a malicious user needs access to the management interface of the WiNG AP / Controller. An attack consists of sending specially crafted XML entities that could lead to AP / Controller crash.

Scope
Attack / AccessAttacker must have access to the network and the Web management interface
Complexity & PrivilegesNeed network access and privilege to connect to the Web management interface of the AP / Controller
Impact:  High (service disruption)  
Occurrence: Low due to network access required to launch an attack
WiNG Versions Affected: All WiNG versions - 5.x, 5.1.x, 5.2.x, 5.3.x, 5.4.x, 5.5.x, 5.6.x, 5.7.x. Applicable fixes are available or pending for 5.8.x and 5.9.x (see below section).
Mitigation: Disable web interface for all devices in Management policy and/or create Management Policy ACLs for Specific IT personnel or networks only. It is also recommended to evaluate device login and distributed passwords.
 

4. Vulnerability in root shell access password

Vulnerability in the password generation for root shell access could allow an attacker to elevate their privilege on the WiNG Access Point (AP) / Controller.

Following are the noted vulnerabilities:
a) Hidden root shell for WiNG OS (CVE-2018-5796)
CVSS base score: 7.3 (High) (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:H)

Attack: To launch this attack, a malicious user needs access to the administrator password and the management interface of the WiNG AP / Controller. An attack consists of accessing the AP / Controller with administrator access credentials and gaining access to root shell using the restricted CLI 'service start-shell'.

Scope
Attack / AccessAttacker must have access to the network and the administrator access credentials
Complexity & PrivilegesNeed network access, administrator credentials and privilege to connect the management interface of the AP / Controller
Impact: Medium (Elevated privileges using restricted CLI)  
Occurrence: Low due to network access and admin credentials required to launch an attack
WiNG Versions Affected: All WiNG versions - 5.x, 5.1.x, 5.2.x, 5.3.x, 5.4.x, 5.5.x, 5.6.x, 5.7.x. Applicable fixes are available or pending for 5.8.x and 5.9.x (see below section).
Mitigation: Disable web interface for all devices in Management policy and/or create Management Policy ACLs for Specific IT personnel or networks only. It is also recommended to evaluate device login and distributed passwords.
 

5. Vulnerability in Secure MINT static message key

The default Secure MINT static message key could be determined and allow an attacker to gain sensitive information (AAA/Radius user/password) by using a man-in-the-middle attack.

Following are the noted vulnerabilities:
a) Smint_encrypt hardcoded AES key (CVE-2018-5797)
CVSS base score: TBD

Attack: To launch this attack, a malicious user needs access to an unsecured wired port that could give visibility to the network and the target Access Point(s). An attack consists of listening for specific secure MINT protocol packets and decrypt using the static AES key.

Scope
Attack / AccessAttacker must have access to the network, MINT protocol port and static AES key information
Complexity & PrivilegesNeed network port access and privilege to connect to the network
Impact: Medium  
Occurrence: Low due to network access required to launch an attack
WiNG Versions Affected: All WiNG versions - 5.x, 5.1.x, 5.2.x, 5.3.x, 5.4.x, 5.5.x, 5.6.x, 5.7.x. Applicable fixes are available or pending for 5.8.x and 5.9.x (see below section).
Mitigation: AP Profile and Profile of Controller, i.e.: VX9000-1(config-profile-VX9000-PROFILE)#service wireless inter-ap-key <0,2> <secretpassword>
Additional Precautions: Proper security practices dictate that all default passwords should be changed. All releases listed above provide a method to update the secure MiNT keys. The "Secure MiNT Password" should be changed from the default. As such, there is nothing to fix.
 

6. Open Aeroscout Service authentication

The Aeroscout service port is open and could allow an attacker to send fake or malformed data to the Aeroscout server. However, this is not viewed as a vulnerability in WiNG software as it only acts as pass thru between Aeroscout tags and servers and doesn’t have the means to examine data sent by the tags.

Following are the noted vulnerabilities:
a) Aeroscout service has no authentication (CVE-2018-5794)
CVSS base score: N/A
Attack: An attack consists of sending specially crafted Aeroscout UDP packet and sends it to Aeroscout service port.

Scope
Attack / AccessAttacker must have access to the network, Aeroscout port information
Complexity & PrivilegesNeed network port access and privilege to connect to the network
Impact: Low  
Occurrence: Low due to network access required to launch an attack
WiNG Versions Affected: All WiNG versions - 5.x, 5.1.x, 5.2.x, 5.3.x, 5.4.x, 5.5.x, 5.6.x, 5.7.x. Applicable fixes are available or pending for 5.8.x and 5.9.x (see below section).
Repair Recommendations
It is recommended to limit the access to critical infrastructure network equipment (Wired Access Ports, APs, Wireless Controllers) only to trusted administrative devices/hosts.

Additional recommendations:
  • Use ACL configuration to prevent any over the air attacks
  • Use existing CLI to configure encryption key for secure MINT messages
  • ADSP to detect and terminate rogue devices on wired ports
  • It is recommended to upgrade to the following versions with the fix for the discussed vulnerabilities:
    • WiNG 5.9.1.3 (Available Jan 1, 2018)
    • WiNG 5.8.6.9 (Available Feb 15, 2018)
Legal Notice
This advisory notice is provided on an “as is” basis and Extreme Networks makes no representations or warranties of any kind, expressly disclaiming the warranties of merchantability or fitness for a particular use. Use of the information provided herein or materials linked from this advisory notice is at your own risk. Extreme Networks reserves the right to change or update this document at any time, and expects to update this document as new information becomes available. The information provided herein is applicable to current Extreme Networks products identified herein and is not intended to be any representation of future functionality or compatibility with any third-party technologies referenced herein. This notice shall not change any contract or agreement that you have entered into with Extreme Networks.

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255