|
Brought to you by:
Suppliers of:
|
|
|
| |
AMG-2000 is an AP Management Gateway dedicatedly designed for small to medium-sized network deployment and management, making it an ideal solution for easily creating and extending WLANs in SMB offices. AMG-2000 uses an internal Squid proxy to restrict access to the wireless LAN or Internet, e.g. by supplying a username/password on the portal site.
A vulnerability in LevelOne's AMG-2000 allow attackers to bypass the proxy restrictions by sending a special HTTP requset. |
| |
Credit:
The information has been provided by J. Greil.
The original article can be found at: https://www.sec-consult.com/advisories_e.html#a53
|
| |
Vulnerable Systems:
* LevelOne AMG-2000 Wireless AP Management Gateway Firmware version 2.00.00build00600 and earlier
The AMG-2000 built-in proxy is misconfigured which leads to the following vulnerability:
1) An _authenticated_ WLAN guest user/attacker is able to access the restricted administration interface of the AMG-2000 with specially crafted HTTP requests. Furthermore an attacker is able to access the internal company network over the wireless network!
2) The administration interface shows the passwords of all locally configured users (e.g. on-demand/guest users) and other sensitive settings in plain text.
Workaround:
Reduce the attack surface, don't use the (private) LAN ports where users don't need authentication and only use the "private LAN" management port on demand (e.g. remove the cable or disable the port on the switch where the AMG-2000 is attached) so an attacker isn't able to access the internal network.
Use strong passwords for the administration interface and remove all default accounts/passwords. Keep in mind that access to the admin interface/brute force attacks are still possible due to the proxy vulnerability!
Disclosure Timeline:
2009-03-03: Asking support@ and security@level-one.de for a security contact
2009-03-10: Asking again, adding info@digital-data.de to the email list
2009-03-13: Vendor (digital-data.de) reply
2009-03-17: Sending vendor (digital-data.de) detailed security advisory with proposed disclosure/release date 2009-03-23: Asking vendor (digital-data.de) whether they have verified the vulnerability
2009-03-23: Digital-data.de replies that the advisory information has been sent to LevelOne who have not anwsered yet
2009-04-15: Asked the contact at digital-data.de about the status and told again that the advisory will be published on 2009-04-29 as mentioned in the email from 2009-03-23 (according to disclosure policy).
2009-04-15: Received out-of-office reply until 2009-04-17, no answer
2009-04-27: Sent another reminder email with disclosure date info, received out-of-office until 2009-04-28 again, no answer
2009-04-29: Public disclosure
|
|
|
|
|
