Airport Extreme security vulnerability

Discussion in 'Mac Accessories' started by bilbo--baggins, Sep 28, 2011.

  1. bilbo--baggins macrumors 6502a

    Joined:
    Jan 6, 2006
    Location:
    UK
    #1
    We have had to get our home network scanned internally for PCI compliance. The only "high risk" problem that is flagged (causing us to fail the scan) is that Airport Utility sends the Airport Extreme administration password across the network effectively unencrypted.

    What's really surprising is that this problem has existed since 2003.

    The scanning tool I'm using suggests the solution is to 1) block port 5009, and 2) administer the Airport Extreme only via a direct connection with a cross-over cable.

    However, another security site suggest that Apple's response to the vulnerability is that the Airport Extreme should only be administered using an encrypted Airport connection, but that the security site disagrees (presumably because at the time this involved WEP) and says a wired connection is required.

    I'm fairly new to this PCI compliance stuff - but my interpretation is that we need to pass the scan to comply. However, there seems to be no way to configure the Airport Extreme to block port 5009. Therefore even if I only administer the unit securely (with via WPA2 or by crossover cable so that the password is not sent around the network unencrypted) it will still fail the internal scan.

    The network is very small, in a domestic property, so in reality there is almost zero risk, so it doesn't feel like it warrants buying another brand of router.

    Has anyone dealt with this scenario of Airport Extreme failing Internal Network Vulnerability Scans? Is there any way of configuring it to block port 5009? When I try to use port mapping it tells me that the port conflicts with a configuration port.
     
  2. miles01110 macrumors Core

    miles01110

    Joined:
    Jul 24, 2006
    Location:
    The Ivory Tower (I'm not coming down)
    #2
    Yes, many people have. This is part of the reason why Apple networking products are not used in the enterprise.
     
  3. NogbadTheBad macrumors regular

    NogbadTheBad

    Joined:
    Aug 28, 2009
    Location:
    United Kingdom
    #3
    Same as Linksys, Dlink, Belkin, etc .....
     
  4. bilbo--baggins thread starter macrumors 6502a

    Joined:
    Jan 6, 2006
    Location:
    UK
    #4
    I know it's not ideal, but I've found that by using WaterRoof to add the following rule to the firewall

    deny tcp from any to any dst-port 5009

    I'm now to complete the scan without the high risk warning. I suppose the main thing is to be aware of this risk, and to set the password and administer through a direct connection, i.e.. by crossover cable or a WPA2 encrypted wifi connection.

    Can't imagine it would be that difficult to for Apple, after 8 years, to come up with a more secure solution.
     
  5. NogbadTheBad macrumors regular

    NogbadTheBad

    Joined:
    Aug 28, 2009
    Location:
    United Kingdom
    #5
    This isn't making your network more secure, its just blocking the scanner on your machine connecting to the AEBS using tcp port 5009.

    What happens if someone connects another Mac to the network ?
     
  6. bilbo--baggins thread starter macrumors 6502a

    Joined:
    Jan 6, 2006
    Location:
    UK
    #6
    I know that's the case, but that's the recommended fix by the security company. Basically the only 'safe' way of entering the admin password is either over WPA2 or a crossover cable - but that won't stop it from failing the scan the rest of the time. I know it's daft but I have two objectives 1) pass the scan (ie. blocking the port) and 2) only accessing the Airport Extreme securely. The two objectives are effectively unrelated - 1 to comply with the box ticking requirement, and 2 to actually carry out the intended purpose of the whole exercise!

    If someone else connects a Mac to the network it doesn't matter because I won't be sending the password over the network in future (which has nothing to do with blocking the port, I know).
     

Share This Page