Third time's NOT the charm for Cisco's adaptive WIPS (aWIPS)

Posted by Hemant Chaskar on Jan 26, 2013
Can you beleive it? - yet another alert came out about a vulnerability in Cisco's WIPS (adaptive Wireless Intrusion Prevention System or aWIPS as Cisco likes to call it):

Particularly interesting is Cisco’s proposed workarounds which state:

Cisco Wireless LAN Controllers Wireless Intrusion Prevention System Denial of Service Vulnerability Proposed workarounds for vulnerabilities in Cisco wireless LAN Controllers

While Cisco aWIPS touts to protect from wireless vulnerabilities, it is still facing a bigger, more basic problem, which is to first protect ITSELF, before it can protect others! Clearly these proposed workarounds are to salvage the system itself, or shall we say "self-heal". Paradoxical, in light of Cisco’s recent “self-healing” acquisition :-)

Cisco spends $475M on Intucell’s self-healing network software by Ricardo Bilton of VentureBeat

What about the customer's network security posture in all of this?

The vulnerability description talks about the attacker likely requiring access to a trusted private network to be exploited. As such, Cisco labels the alert “unlikely use” and “mild severity”.
@CiscoSecurity : Oxymoron … don’t ya think?

Consider this attack scenario:

A rogue AP is connected to a trusted network. Accordingly, it opens access to the trusted network for outsiders. The Cisco aWIPS is supposed to detect and contain this Rogue AP, but through this very same Rogue AP, the attacker launches the crafted packet and does DoS on aWIPS. So the Rogue AP itself is used to nuke the Cisco aWIPS that was supposed to protect the network from Rogue APs. Doesn’t this sound like plausible and severe scenario. Why take that chance?


Follow Airtight Networks on Twitter


Once, twice, three times aWIPS …

I don’t know about you but I think that Cisco needs to take a hard look at the architectural foundations of its aWIPS architecture. This is not the first, not the second, but the third time that Cisco’s aWIPS has been hacked. Could this be because aWIPS is not designed from the ground up as a security system, but it's a third party signature engine patched to WLC architecture?

Going down memory lane, let’s revisit the first two Cisco-charms: 1) MFP security disorder, and 2) LAPs as rogues

1) Turn on yourself (autoimmune disorder of MFP security)

Check out the reference material

When Cisco launched MFP as a savior for deauth DoS attacks, security researchers showed that MFP not only not stopped deauth DoS attacks, but introduced new ones of its own which were easier to launch deauth DoS attacks. The technique that was supposed to stop DoS attacks was itself DoS'ed.

2) Turn Cisco lightweight APs (LAPs) into Rogue APs

You'll recall the Cisco Skyjacking attack where the attacker could hijack Cisco APs and aWIPS sensors from the enterprise WLC and control them from outside of the trusted network. Skyjacking allowed Cisco APs and aWIPS sensors themselves to be turned into Rogue APs on the network.


Skyjacking a Cisco WLAN: Attack Analysis and Countermeasures (webinar) featuring Dr. Pravin Bhagwat, Airtight Networks CTO, and Dr. Hemant Chaskar, Airtight Networks VP, Technology and Innovation

Understanding WiFi Security Vulnerabilities and Solutions on slideshare


Cisco WIPS Paradox: The Third Time’s NOT the Charm
With this third @Cisco alert, clearly this is not heading in the right direction. The devices which are supposed to be trusted for secure Wi-Fi are themselves turned into vulnerabilities in the Wi-Fi. You can practically hear Alanis Morissette signing IRONIC …
How many more can we expect? Instead of waiting for more Cisco charm, why not use the industry’s best of the breed WIPS that is built with a solid foundation so that it can protect your networks without giving itself in to attackers? Come to AirTight!


Airtight Networks rated “strong positive” in 2012 Gartner MarketScope for Wireless LAN Intrusion Prevention Systems

Topics: Wireless security


Subscribe to Email Updates

Posts by Topic

see all