Cisco Wi-Fi access point flaw lets snoopers in

Cisco Systems is warning of a vulnerability in some of its Aironet Wi-Fi access points that could allow attackers to snoop on corporate networks.

Vulnerable access points will transmit security keys over the air in unencrypted text, meaning that an eavesdropper could intercept them. With the keys, an attacker could easily break the encryption protecting Wi-Fi transmissions. Wi-Fi is a wireless standard commonly used in corporate and personal local-area networks.

The bug affects Aironet 1100, 1200, and 1400 series access points running Cisco IOS software releases 12.2(8)JA, 12.2(11)JA, and 12.2(11)JA1. The affected equipment transmits cleartext versions of Wired Equivalent Privacy (WEP) static keys to the Simple Network Management Protocol (SNMP) server. WEP is a security protocol defined in the Wi-Fi 802.11b standard, designed to give wireless networks the same level of security as a wired LAN. SNMP allows companies to monitor the operation of network devices via a central server.

The devices are only affected when the "snmp-server enable traps wlan-wep" command is enabled, and does not affect dynamically set WEP keys. Cisco access points running VxWorks are not affected. The keys are transmitted only when the access point is rebooted or the static WEP key is changed.

Attackers will only be able to snatch WEP keys if they are able to monitor data sent between the access point and the SNMP server.

Cisco said users should upgrade to IOS version 12.2(13)JA1 or later, or switch off the SNMP command in question. Instructions for the fix are detailed in Cisco's advisory.

Users can also get around the problem by switching to an authentication protocol that uses dynamically set keys, several of which are supported by the access points.

Cisco's access points have recently been the subject of several security warnings. In July, Cisco patched a pair of security flaws that were discovered in its Aironet 1100 series wireless access points. One flaw would have allowed an attacker to use a "classical brute force" technique to discover account names, while the second could freeze the access point and bring down the wireless access zone.

In August Cisco said its LEAP (Lightweight Extensible Authentication Protocol) could allow an attacker to guess user names and passwords in a "dictionary attack".