CVE-2001-0352 in AirConnect AP-4111
Summary
by MITRE
SNMP agents in 3Com AirConnect AP-4111 and Symbol 41X1 Access Point allow remote attackers to obtain the WEP encryption key by reading it from a MIB when the value should be write-only, via (1) dot11WEPDefaultKeyValue in the dot11WEPDefaultKeysTable of the IEEE 802.11b MIB, or (2) ap128bWepKeyValue in the ap128bWEPKeyTable in the Symbol MIB.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/06/2025
This vulnerability represents a critical security flaw in wireless access point implementations that directly compromises the confidentiality of wireless network communications. The issue affects SNMP agents running on 3Com AirConnect AP-4111 and Symbol 41X1 access points, where sensitive cryptographic parameters are exposed through improper access controls within the management information base. The vulnerability specifically targets the Wireless Equivalent Privacy (WEP) encryption mechanism, which was designed to provide security for wireless local area networks but has been widely criticized for its inherent weaknesses.
The technical flaw manifests through two distinct MIB objects that should have been write-only but were instead readable by remote attackers. The first vulnerability involves dot11WEPDefaultKeyValue within the dot11WEPDefaultKeysTable of the IEEE 802.11b MIB, while the second concerns ap128bWepKeyValue in the ap128bWEPKeyTable of the Symbol MIB. These objects contain the actual WEP encryption keys that should remain confidential and only accessible through authenticated administrative sessions. The improper configuration allows unauthenticated remote attackers to extract these cryptographic keys through standard SNMP read operations, effectively bypassing the intended security controls.
The operational impact of this vulnerability is severe as it completely undermines the security of wireless networks protected by WEP encryption. Once an attacker obtains the WEP key through SNMP queries, they can decrypt all wireless traffic passing through the affected access points, gaining access to sensitive data, credentials, and potentially establishing persistent network access. This vulnerability aligns with CWE-200 (Information Exposure) and represents a classic case of improper access control where sensitive information is exposed through management interfaces. The attack vector is particularly dangerous because it requires no specialized tools beyond standard SNMP utilities and can be executed from any network location with access to the SNMP agent.
From an adversarial perspective, this vulnerability maps directly to ATT&CK technique T1071.004 (Application Layer Protocol: DNS) and T1046 (Network Service Scanning) as attackers can discover and exploit the vulnerable SNMP services to extract cryptographic keys. The vulnerability also demonstrates the broader issue of inadequate security configuration management in network infrastructure devices, where default settings fail to properly restrict access to sensitive operational parameters. Organizations using affected access points face significant risk of data breaches, man-in-the-middle attacks, and unauthorized network access, particularly in environments where wireless networks handle confidential information.
Effective mitigation strategies include immediate implementation of SNMP access control lists to restrict read access to sensitive MIB objects, deployment of SNMPv3 with strong authentication and encryption mechanisms, and complete removal of WEP encryption from wireless networks in favor of more secure protocols such as WPA2 or WPA3. Network administrators should also implement network segmentation to limit access to management interfaces and regularly audit device configurations to ensure proper access controls are in place. The vulnerability highlights the critical importance of proper security hardening and configuration management practices in network infrastructure devices, particularly those handling cryptographic keys and sensitive operational parameters.