Belkin Wireless Network Access Point Can Be Disabled By Remote Users
|
|
SecurityTracker Alert ID: 1005138 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Aug 27 2002
|
Impact: Denial of service via network
|
Exploit Included: Yes
|
Version(s): Model F5D6130; version 1.4g.8
|
Description: A denial of service vulnerability was reported in the Belkin F5D6103 Wireless Access Point gateway. A remote user can cause the gateway to crash.
It is reported that a remote user can disable the gateway by sending a small number of SNMP GetNextRequest requests to the device.
The device will drop all wireless connections and will not accept new connections. The device will also not respond to traffic
on the Ethernet interface.
A demonstration exploit using snmpwalk is provided (with 'x.x.x.x' as the IP address of the device):
'snmpwalk
x.x.x.x goodnight'
|
Impact: A remote user can cause the device to crash. A power reset is required to return the device to normal operations.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: catalog.belkin.com/IWCatProductPage.process?Merchant_Id=1&Product_Id=122640 (Links to External Site)
|
Cause: State error
|
Reported By: "wlanman" <wlanman@hoobie.net>
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 26 Aug 2002 03:46:33 +0100
From: "wlanman" <wlanman@hoobie.net>
Subject: Belkin F5D6130 Wireless Network Access Point SNMP Request Denial Of Service Vulnerability
|
Just picked one of these AP's up the other day and during a quick fiddle
noticed a remote DoS.
It is possible to disable the Belkin F5D6130 802.11b AP by issuing a small
number of SNMP GetNextRequest requests to the AP.
The attack results in the AP dropping all wireless connections and ceasing
to accept any new connections, the wireless activity LED will stop blinking.
The AP will also stop responding to all IP traffic on it's ethernet
interface thus rendering the device unmanageable. The device will require
power cycling to resume correct operation.
The SNMP community name used in the requests is irrelevant. The device will
respond to the SNMP requests by broadcasting one or more SNMP traps and then
cease to function. This behaviour appears to be fairly consistent. The
attack takes a little longer if performed from a wireless system associated
to the target AP and may result in a loss of wireless connectivity only,
leaving the IP stack of the AP intact.
Snmpwalk may readily be used to test for this vulnerability as follows:
'snmpwalk x.x.x.x goodnight' (where x.x.x.x is the IP address of the
AP)
Occasionally must be run a couple of times in which case try specifying a
few different objectIDs.
This has been tested on a number of Belkin F5D6130 APs with the current
factory shipped firmware 1.4g.8.
It is not known if other firmware versions are affected or indeed if
differently branded AP devices using the same hardware are vulnerable.
regards
wlanman <wlanman@hoobie.net>
26th August 2002
|
|
