snsadv@lac.co.jp
24/12/02, 17:12
--------------------------------------------------------------------------
SNS Advisory No.60
Windows XP Disclosure of Registered AP Information
Problem first discovered: 30 Aug 2002
Published: 4 Dec 2002
Last revised: 24 Dec 2002
http://www.lac.co.jp/security/english/snsadv_e/60_e.html
--------------------------------------------------------------------------
Overview:
---------
Windows XP's wireless LAN feature may disclose registered access points
information.
Packets encrypted with WEP could be sent out even if the radio wave of
the original access point does not propagate well.
There is a risk that the list of SSID values assigned to registered
access points and the packets encrypted with WEP may be intercepted and
decrypted.
Problem Description:
--------------------
Windows XP machines utilizing wireless LAN automatically search for
available access points. If not found, requests are continuously sent for
already registered access points available until connection is achieved.
If an access point with the same SSID as of an access point already
configured for XP is installed, Windows XP will recognize it as the same
access point. Windows XP will then encrypt packets with WEP and start
transmission.
Information regarding registered SSIDs can be obtained from available
inquiry packets by using a packet monitoring tool for wireless LAN.
Additionally, packets encrypted with WEP of any registered access point
for Windows XP machines can also be intercepted by establishing an access
point with the same SSID.
As the functions to search for available access points and to send
inquiry requests are always enabled, Windows XP machines using wireless
LAN feature will leak SSID information of registered access points if
they cannot establish a connection with an available access point.
In addition, WEP is susceptible to some already known vulnerabilities.
Data encrypted with 40-bit keys can be decrypted through brute force
attacks in a short period of time. In the case of 104-bit encryption
use, it has been reported that data can be decrypted in approximately two
weeks.
Consequently, sending out packets encrypted with WEP is not a recommended
security practice in an environment where the original access points are
not available.
Refer to the following URL for explanatory figures:
http://www.lac.co.jp/security/english/snsadv_e/60_e.html
Solution:
---------
Disable the wireless LAN function of Windows XP and use drivers made from
third-parties that are not susceptible to the problem described above.
Discovered by:
--------------
Nobuo Miwa n-miwa@lac.co.jp
Vendor Status:
--------------
This issue was reported to Security Response Team of Microsoft Asia
Limited on August 30th, 2002 and we have been discussing the possibility
of changing the "specification" that was reported in this Advisory.
However, because the specification of 802.11b wireless is not maintained
by Microsoft, they can not change the specification.
Comment from Microsoft:
-----------------------
This is not an issue that occurs exclusively on Windows XP, rather it
is an issue with the IEEE 802.11b specification. Implementing
IEEE 802.11b to conform to its Wireless Standard and sending Associate
Requests is not specified by Microsoft.
Acknowledgements:
-----------------
Security Response Team of Microsoft Asia Limited
Revision History:
-----------------
4 Dec 2002 : * Initial release
24 Dec 2002 : * Updated "Vendor Status" section
* Added Comment from Microsoft
Disclaimer:
-----------
All information in these advisories are subject to change without any
advanced notices neither mutual consensus, and each of them is released
as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences
caused by applying those information.
------------------------------------------------------------------
SecureNet Service(SNS) Security Advisory <snsadv@lac.co.jp>
Computer Security Laboratory, LAC http://www.lac.co.jp/security/
SNS Advisory No.60
Windows XP Disclosure of Registered AP Information
Problem first discovered: 30 Aug 2002
Published: 4 Dec 2002
Last revised: 24 Dec 2002
http://www.lac.co.jp/security/english/snsadv_e/60_e.html
--------------------------------------------------------------------------
Overview:
---------
Windows XP's wireless LAN feature may disclose registered access points
information.
Packets encrypted with WEP could be sent out even if the radio wave of
the original access point does not propagate well.
There is a risk that the list of SSID values assigned to registered
access points and the packets encrypted with WEP may be intercepted and
decrypted.
Problem Description:
--------------------
Windows XP machines utilizing wireless LAN automatically search for
available access points. If not found, requests are continuously sent for
already registered access points available until connection is achieved.
If an access point with the same SSID as of an access point already
configured for XP is installed, Windows XP will recognize it as the same
access point. Windows XP will then encrypt packets with WEP and start
transmission.
Information regarding registered SSIDs can be obtained from available
inquiry packets by using a packet monitoring tool for wireless LAN.
Additionally, packets encrypted with WEP of any registered access point
for Windows XP machines can also be intercepted by establishing an access
point with the same SSID.
As the functions to search for available access points and to send
inquiry requests are always enabled, Windows XP machines using wireless
LAN feature will leak SSID information of registered access points if
they cannot establish a connection with an available access point.
In addition, WEP is susceptible to some already known vulnerabilities.
Data encrypted with 40-bit keys can be decrypted through brute force
attacks in a short period of time. In the case of 104-bit encryption
use, it has been reported that data can be decrypted in approximately two
weeks.
Consequently, sending out packets encrypted with WEP is not a recommended
security practice in an environment where the original access points are
not available.
Refer to the following URL for explanatory figures:
http://www.lac.co.jp/security/english/snsadv_e/60_e.html
Solution:
---------
Disable the wireless LAN function of Windows XP and use drivers made from
third-parties that are not susceptible to the problem described above.
Discovered by:
--------------
Nobuo Miwa n-miwa@lac.co.jp
Vendor Status:
--------------
This issue was reported to Security Response Team of Microsoft Asia
Limited on August 30th, 2002 and we have been discussing the possibility
of changing the "specification" that was reported in this Advisory.
However, because the specification of 802.11b wireless is not maintained
by Microsoft, they can not change the specification.
Comment from Microsoft:
-----------------------
This is not an issue that occurs exclusively on Windows XP, rather it
is an issue with the IEEE 802.11b specification. Implementing
IEEE 802.11b to conform to its Wireless Standard and sending Associate
Requests is not specified by Microsoft.
Acknowledgements:
-----------------
Security Response Team of Microsoft Asia Limited
Revision History:
-----------------
4 Dec 2002 : * Initial release
24 Dec 2002 : * Updated "Vendor Status" section
* Added Comment from Microsoft
Disclaimer:
-----------
All information in these advisories are subject to change without any
advanced notices neither mutual consensus, and each of them is released
as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences
caused by applying those information.
------------------------------------------------------------------
SecureNet Service(SNS) Security Advisory <snsadv@lac.co.jp>
Computer Security Laboratory, LAC http://www.lac.co.jp/security/