The vulnerability is based in a feature that makes it easy for Cisco access points to associate with a controller in the network. Existing APs broadcast information about the nearby network controller they communicate with. When an enterprise hangs a new AP, that AP listens to information broadcast by other APs and knows which controller to connect to.
AirMagnet worries that a person using war driving techniques could “skyjack” a new AP by getting the AP to connect to a controller outside of the enterprise.
Enterprises can avoid that scenario by configuring their access points with a preferred controller list, Cisco said. That bypasses the over-the-air provisioning process that could result in an AP connecting to an outside controller.
Also, Cisco said that even if an AP did connect to an unauthorized controller, workers would then be unable to connect to that AP. That would prevent a hacker from intercepting their communication.
However, once an AP is connected to an unauthorized controller, a hacker might then be able to access the company’s entire network, said Wade Williamson, director of product management at AirMagnet. “Someone being able to drill into your wired network is much more concerning than users not being able to check e-mail,” he said.
Cisco did not immediately respond to a question about the potential of that scenario.
Cisco rates the vulnerability as unlikely to be used. It notes that in order to exploit the hole, an attacker would have to be able to deploy a Cisco controller within radio range of a newly installed AP.
The vulnerability affects Cisco Lightweight Access Point 1100 and 1200 series.