Summary: A working attack tool for this vulnerability is publicly available so it’s important for affected users to heed all vendor warnings.
A vulnerability that exists in the Wi-Fi Alliance Wi-Fi Protected Setup (WPS) protocol, also known as Wi-Fi Simple Config, when devices are operating in PIN External Registrar (PIN-ER) mode. Devices operating in PIN-ER mode allow a WPS capable client to supply only the correct WPS PIN to configure their client on a properly secured network. A weakness in the protocol affects all devices that operate in the PIN-ER mode, and may allow an unauthenticated, remote attacker to brute force the WPS configuration PIN in a short amount of time.
The vulnerability is due to a flaw that allows an attacker to determine when the first 4-digits of the eight-digit PIN are known. This effectively reduces the PIN space from 107 or 10,000,000 possible values to 104 + 103 which is 11,000 possible values. The eighth digit of the PIN is utilized as a checksum of the first 7 digits and does not contribute to the available PIN space. Because the PIN space has been significantly reduced, an attacker could brute force the WPS pin in as little as a few hours.
While the affected devices listed below implement the WPS 1.0 standard which requires that a 60-second lockout be implemented after three unsuccessful attempts to authenticate to the device, this does not substantially mitigate this issue as it only increases the time to exploit the protocol weakness from a few hours to at most several days. It is our recommendation to disable the WPS feature to prevent exploitation of this vulnerability.
Here are the affected Cisco products:
Details of this vulnerability were discussed at a security conference last December.