1. Vulnerabilities in the RIM component
Vulnerability in the RIM (Radio Interface Module) process running on the WiNG Access Point (AP) could allow a denial of service and/or remote code execution from an attacker-controlled device connected on the same network.
Following are the noted vulnerabilities:
a)
Remote unauthenticated stack overflow in RIM (CVE-2018-5787)
CVSS base score: 5.3 (Medium) (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
b)
Remote and unauthenticated denial of service (CVE-2018-5788)
CVSS base score: 7.5 (High) (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Attack: To launch this attack, a malicious user needs access over the air or to an unsecured wired port that could give visibility to the network and the target Access Point. An attack consists of sending several specially crafted packets to the RIM process port that could lead to AP crash.
Scope
Attack / Access | Attacker must have access to the network and RIM process port information |
Complexity & Privileges | Need network port access and privilege to connect a compromised/malicious device to the network |
Impact: High (service disruption, remote code execution).
Occurrence: High
WiNG Versions Affected: All WiNG versions - 5.x, 5.1.x, 5.2.x, 5.3.x, 5.4.x, 5.5.x, 5.6.x, 5.7.x. Applicable fixes are available or pending for 5.8.x and 5.9.x (see below section).
Mitigation: ACL "ip access-list" applied to management policies of devices
2. Vulnerabilities in MINT Protocol
Vulnerability in the MINT (Medium Independent Tunnel) Protocol on the WiNG Access Point (AP) could allow a denial of service and/or remote code execution from an attacker-controlled device connected on the same network. This vulnerability relies on MiNT to MiNT communications.
Following are the noted vulnerabilities:
a)
Remote and unauthenticated heap overflow in HSD process over MINT Protocol (CVE-2018-5791, CVE-2018-5792, CVE-2018-5793)
CVSS base score: 3.1 (Low) (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
b)
Remote unauthenticated global denial of service in RIM over MINT Protocol (CVE-2018-5790)
CVSS base score: 5.3 (Medium) (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
Attack: To launch this attack, a malicious user needs access over the air or to an unsecured wired port that could give visibility to the network and the target Access Point. An attack consists of sending several specially crafted packets over MINT protocol port that could lead to AP crash. To perform this DDoS attack, a malicious user may use any device that has network connectivity to the MINT neighbor.
Scope
Attack / Access | Attacker must have access to the network and MINT protocol port information |
Complexity & Privileges | Need network port access |
Impact: High (service disruption, remote code execution)
Occurrence: High
WiNG Versions Affected: All WiNG versions - 5.x, 5.1.x, 5.2.x, 5.3.x, 5.4.x, 5.5.x, 5.6.x, 5.7.x. Applicable fixes are available or pending for 5.8.x and 5.9.x (see below section).
Threat Reduction: ADSP or other IDS system can be configured to identify rogue devices and mitigate at port or WLAN. There is no ACL option for a tactical fix.
3. Vulnerabilities in Web User Interface
Vulnerability in the Web User Interface on the WiNG Access Point (AP) / Controller could allow a Denial of Service attack exploiting XML entity expansion vulnerability.
Following are the noted vulnerabilities:
a)
Remote and unauthenticated XML entity expansion vulnerability can cause denial of service (CVE-2018-5789)
CVSS base score: 7.5 (High) (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
b)
Arbitrary file write from WebGUI (CVE-2018-5795)
CVSS base score: 2.6 (Low) (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N)
Attack: To launch this attack, a malicious user needs access to the management interface of the WiNG AP / Controller. An attack consists of sending specially crafted XML entities that could lead to AP / Controller crash.
Scope
Attack / Access | Attacker must have access to the network and the Web management interface |
Complexity & Privileges | Need network access and privilege to connect to the Web management interface of the AP / Controller |
Impact: High (service disruption)
Occurrence: Low due to network access required to launch an attack
WiNG Versions Affected: All WiNG versions - 5.x, 5.1.x, 5.2.x, 5.3.x, 5.4.x, 5.5.x, 5.6.x, 5.7.x. Applicable fixes are available or pending for 5.8.x and 5.9.x (see below section).
Mitigation: Disable web interface for all devices in Management policy and/or create Management Policy ACLs for Specific IT personnel or networks only. It is also recommended to evaluate device login and distributed passwords.
4. Vulnerability in service shell access password
Vulnerability in the password generation for service shell access could allow an attacker to elevate their privilege on the WiNG Access Point (AP) / Controller. Service shell authentication is performed using a one-time password scheme. The design utilizes a hard-wired seed value that allows an attacker to compute service shell passwords for all WiNG APs/Controllers.
Following are the noted vulnerabilities:
a)
Hidden root shell for WiNG OS (CVE-2018-5796)
CVSS base score: 7.3 (High) (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:H)
Attack: To launch this attack, a malicious user needs access to the administrator password and the management interface of the WiNG AP / Controller. An attack consists of accessing the AP / Controller with administrator access credentials and gaining access to root shell by invoking the restricted CLI 'service start-shell' and providing a computed password.
Scope
Attack / Access | Attacker must have access to the network and the administrator access credentials |
Complexity & Privileges | Need network access, administrator credentials and privilege to connect the management interface of the AP / Controller |
Impact: Medium (Elevated privileges using restricted CLI)
Occurrence: Low due to network access and admin credentials required to launch an attack
WiNG Versions Affected: All WiNG versions - 5.x, 5.1.x, 5.2.x, 5.3.x, 5.4.x, 5.5.x, 5.6.x, 5.7.x. Applicable fixes are available or pending for 5.8.x and 5.9.x (see below section).
Mitigation: Disable web interface for all devices in Management policy and/or create Management Policy ACLs for Specific IT personnel or networks only. It is also recommended to evaluate device login and distributed passwords.
WiNG 5.9.1.3 (Available Jan 1, 2018) and WiNG 5.8.6.9 (Available Feb 15, 2018) include enhancements that seed the service shell password generation mechanism of each device with a random value that confines scope of the attack to an individual device. Given a previously used service shell password for a specific device, the attacker can only compute future service shell passwords for that device.
WiNG 5.9.3 (Available mid-October, 2018) removes the service shell one-time password generation mechanism in favor of returning management of the service shell password to the device administrator.
5. Vulnerability in Secure MINT static message key
The default Secure MINT static message key could be determined and allow an attacker to gain sensitive information (AAA/Radius user/password) by using a man-in-the-middle attack.
Following are the noted vulnerabilities:
a)
Smint_encrypt hardcoded AES key (CVE-2018-5797)
CVSS base score: 4.7 (Medium) (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N/RC:R/CR:L/IR:L/AR:L/MAV:N/MAC:L/MPR:L/MC:L/MI:N/MA:N)
Attack: To launch this attack, a malicious user needs access to an unsecured wired port that could give visibility to the network and the target Access Point(s). An attack consists of listening for specific secure MINT protocol packets and decrypting them using the static AES key.
Scope
Attack / Access | Attacker must have access to the network, MINT protocol port and static AES key information |
Complexity & Privileges | Need network port access and privilege to connect to the network |
Impact: Medium
Occurrence: Low due to network access required to launch an attack
WiNG Versions Affected: All WiNG versions - 5.x, 5.1.x, 5.2.x, 5.3.x, 5.4.x, 5.5.x, 5.6.x, 5.7.x. Applicable fixes are available or pending for 5.8.x and 5.9.x (see below section).
Mitigation: AP Profile and Profile of Controller, i.e.:
VX9000-1(config-profile-VX9000-PROFILE)#service wireless inter-ap-key <0,2> <secretpassword>Additional Precautions: Proper security practices dictate that all default passwords should be changed. All releases listed above provide a method to update the secure MiNT keys. The "Secure MiNT Password" should be changed from the default. No software changes were needed to address this disclosure.
6. Open Aeroscout Service authentication
The Aeroscout service port is open and could allow an attacker to send fake or malformed data to the Aeroscout server. Extreme is working independently with the Aeroscout vendor to evaluate remediation actions.
Following are the noted vulnerabilities:
a)
Aeroscout service has no authentication (CVE-2018-5794)
CVSS base score: N/A
Attack: An attack consists of sending a specially crafted Aeroscout UDP packet to a service port configured with the Aeroscout service.
Scope
Attack / Access | Attacker must have access to the network, Aeroscout port information |
Complexity & Privileges | Need network port access and privilege to connect to the network |
Impact: Low
Occurrence: Low due to network access required to launch an attack
WiNG Versions Affected: All WiNG versions - 5.x, 5.1.x, 5.2.x, 5.3.x, 5.4.x, 5.5.x, 5.6.x, 5.7.x. Applicable fixes are available or pending for 5.8.x and 5.9.x (see below section).