Earlier this week, the networking company acknowledged a previously discovered vulnerability in its Lightweight Extensible Authentication Protocol (LEAP) that makes it easier for hackers to launch dictionary attacks to guess common passwords used to access wireless LANs. The company is now recommending that customers use a new security protocol called EAP-FAST (Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling), which it said helps reduce this threat.
Dictionary attacks, which run through a massive file of words until finding a password match, threaten every form of password control. But the problem with LEAP let hackers greatly reduce the number of possible password matches, thus making the dictionary attacks faster and easier, said Joshua Wright, a security expert who alerted Cisco to the vulnerability. What's more, LEAP also allowed hackers to try their password matches offline, giving them ample time and access to hunt for matches.
Last August, Wright, who works for the SANS Institute network security group, discovered the LEAP vulnerabilities, and he developed a tool, called ASLEAP, to exploit them. After contacting Cisco, Wright agreed to hold onto the tool until Cisco developed an alternative authentication protocol and notified customers of the risks associated with using LEAP.
"When I discovered this weakness in the LEAP protocol, I searched the Cisco Web site for references to this vulnerability," he wrote on his Web site documenting the flaws. "I discovered one small reference to a dictionary attack vulnerability against user passwords, which I felt was insufficient notification for such a critical flaw in the protocol."
In February, Cisco submitted documentation to the Institute of Electrical and Electronics Engineers (IEEE) for EAP-FAST, which eliminates some of the problems with LEAP. Unlike LEAP, the new protocol does not allow hackers to limit the pool of potential password matches, which means that an attacker must try every word in the dictionary file to find a match. This slows down the attacker and makes gaining access to the network more difficult. EAP-FAST also doesn't allow the search for a match to be taken offline. In other words, a hacker must try the possible passwords online and risk being shut out of the network if it doesn't find a match in a certain number of attempts.
While EAP-FAST is an improvement over LEAP, it does not completely eliminate the risk of dictionary attacks, Wright warned. Like any password-protected security mechanism, EAP-FAST could still succumb to a dictionary attack.
"If you use passwords that are easy to figure out, no authentication product is going to protect you," said Mike Disabato, vice president and service director at Burton Group. "End-users have to be smart about their password use."
In a statement, Cisco said it is aware of the dictionary attack method that exploits known vulnerabilities to password-based security schemes for WLANs. Cisco recommends that users review their security policies and institute previously published best practices that require the use of strong passwords to help make their systems impervious to this type of attack. It also recommends that customers using LEAP who cannot enforce a strong password policy and do not want to use security certificates migrate to EAP-FAST for protection from dictionary attacks.
The LEAP vulnerability is not the only security issue Cisco Wireless LAN customers have had to deal with lately. Last week, the company notified customers that a preset username and password coded into its Wireless LAN Solution Engine (WLSE) and Hosting Solution Engine (HSE) could give attackers complete control of the wireless LAN management devices. The company has posted software patches for both products.
But Cisco customers seem to be taking the security problems in stride.
"It doesn't really concern me," said Phil Go, CIO at Barton Malow, a construction firm that uses Cisco's wireless LAN products. "Ideally, I'd like to see them do it right the first time, but in this business, new problems will always come up. I feel satisfied that they are addressing the problems as they come up."
Like those of software giant Microsoft, Cisco's products are more widely deployed than its competitors', and there is more scrutiny from the installed base once the product is released. Analysts say these companies should be doing more to protect customers.
"Microsoft and Cisco and any other big vendor out there are under pressure to get products to customers when they promised," Disabato said. "And sometimes they take short cuts or forget to check things. But I think they need everyone needs to start taking the extra step to make sure that these products are really secure."
