[原文]SNMP agents in 3Com AirConnect AP-4111 and Symbol 41X1 Access Point allow remote attackers to obtain the WEP encryption key by reading it from a MIB when the value should be write-only, via (1) dot11WEPDefaultKeyValue in the dot11WEPDefaultKeysTable of the IEEE 802.11b MIB, or (2) ap128bWepKeyValue in the ap128bWEPKeyTable in the Symbol MIB.
SNMP agents in 3Com AirConnect and Symbol Access Point may allow a remote attacker to obtain the WEP encryption key. The issue is triggered when the SNMP agents reveals the WEP encryption key in response to SNMP queries for the dot11WEPDefaultKeysTable in the IEEE 802.11 MIB or the the ap128bWEPKeyTable in the 3ComAP MIB. It is possible that the flaw may allow a remote attacker to undermine authentication and privacy protection mechanisms for wireless clients, resulting in further access to the wireless network.
Consult your vendor for appropriate patches. It is also possible to correct the flaw by implementing the following workaround: Disable all SNMP agents.
This vulnerability was announced to Bugtraq in an ISS X-Force Security Advisory on June 20, 2001.
Symbol Access Point Series 41X1
3Com AirConnect AP-4111
Lucent ORiNOCO WaveLAN AP-1000
Symbol Technologies is the manufacturer of various wireless electronic components and devices. Symbol Technologies provides components to various manufacturers for use in Wireless Access Points on 802.11b networks.
A problem in Symbol firmware makes it possible to retrieve the WEP Key from the wired network interface. This can be accomplished by sending a query to the interface via SNMP. The need for a community string with the query is currently unknown.
Therefore, it's possible for a remote user to gain access to the WEP key, which could lead to sniffing of the wireless network, and potentially gaining unrestricted access.
Upgrades forthcoming. 3Com product upgrades will be made available via the primary 3Com Site (http://www.3com.com).