||Internet Sharing in Apple Mac OS X before 10.7.3 does not preserve the
Wi-Fi configuration across software updates, which allows remote
attackers to obtain sensitive information by leveraging the lack of a
WEP password for a Wi-Fi network.
||SQL injection vulnerability in kategori.asp in MunzurSoft Wep Portal
W3 allows remote attackers to execute arbitrary SQL commands via the
||The Marvell driver for the Linksys WAP4400N Wi-Fi access point with
firmware 1.2.14 on the Marvell 88W8361P-BEM1 chipset, when WEP mode is
enabled, does not properly parse malformed 802.11 frames, which allows
remote attackers to cause a denial of service (reboot or hang-up) via
a malformed association request containing the WEP flag, as
demonstrated by a request that is too short, a different vulnerability
than CVE-2008-1144 and CVE-2008-1197.
||WeFi 220.127.116.11.1, when diagnostic mode is enabled, stores (1) WEP, (2)
WPA, and (3) WPA2 access-point keys in (a) ClientWeFiLog.dat, (b)
ClientWeFiLog.bak, and possibly (c) a certain .inf file under
%PROGRAMFILES%\WeFi\Users\, and uses cleartext for the ClientWeFiLog
files, which allows local users to obtain sensitive information by
reading these files.
||ZyXEL Prestige routers, including P-660, P-661, and P-662 models with
firmware 3.40(AGD.2) through 3.40(AHQ.3), allow remote authenticated
users to obtain authentication data by making direct HTTP requests and
then reading the HTML source, as demonstrated by a request for (1)
RemMagSNMP.html, which discloses SNMP communities; or (2) WLAN.html,
which discloses WEP keys.
||The AXIS 207W camera stores a WEP or WPA key in cleartext in the
configuration file, which might allow local users to obtain sensitive
||Unspecified vulnerability in the AirPcap support in Wireshark
(formerly Ethereal) 0.99.3 has unspecified attack vectors related to
WEP key parsing.
||The Microsoft Wireless Zero Configuration system (WZCS) allows local
users to access WEP keys and pair-wise Master Keys (PMK) of the WPA
pre-shared key via certain calls to the WZCQueryInterface API function
||The Microsoft Wireless Zero Configuration system (WZCS) stores WEP
keys and pair-wise Master Keys (PMK) of the WPA pre-shared key in
plaintext in memory of the explorer process, which allows attackers
with access to process memory to steal the keys and access the
||Wireless Access Points (AP) for (1) Avaya AP-3 through AP-6 2.5 to
2.5.4, and AP-7/AP-8 2.5 and other versions before 3.1, and (2) Proxim
AP-600 and AP-2000 before 2.5.5, and Proxim AP-700 and AP-4000 after
2.4.11 and before 3.1, use a static WEP key of "12345", which allows
remote attackers to bypass authentication.
||The Apple AirPort card uses a default WEP key when not connected to a
known or trusted network, which can cause it to automatically connect
to a malicious network.
||TFTP server in Longshine Wireless Access Point (WAP) LCS-883R-AC-B,
and in D-Link DI-614+ 2.0 which is based on it, allows remote
attackers to obtain the WEP secret and gain administrator privileges
by downloading the configuration file (config.img) and other files
||Symbol Access Portable Data Terminal (PDT) 8100 does not hide the
default WEP keys if they are not changed, which could allow attackers
to retrieve the keys and gain access to the wireless network.
||GlobalSunTech Wireless Access Points (1) WISECOM GL2422AP-0T, and
possibly OEM products such as (2) D-Link DWL-900AP+ B1 2.1 and 2.2,
(3) ALLOY GL-2422AP-S, (4) EUSSO GL2422-AP, and (5) LINKSYS
WAP11-V2.2, allow remote attackers to obtain sensitive information
like WEP keys, the administrator password, and the MAC filter via a
"getsearch" request to UDP port 27155.
||D-Link DWL-900AP+ Access Point 2.1 and 2.2 allows remote attackers to
access the TFTP server without authentication and read the config.img
file, which contains sensitive information such as the administrative
password, the WEP encryption keys, and network configuration
||Compaq Intel PRO/Wireless 2011B LAN USB Device Driver 18.104.22.168 through
22.214.171.124 stores the 128-bit WEP (Wired Equivalent Privacy) key in
plaintext in a registry key with weak permissions, which allows local
users to decrypt network traffic by reading the WEP key from the
||Orinoco RG-1000 wireless Residential Gateway uses the last 5 digits of
the 'Network Name' or SSID as the default Wired Equivalent Privacy
(WEP) encryption key. Since the SSID occurs in the clear during
communications, a remote attacker could determine the WEP key and
decrypt RG-1000 traffic.
||SNMP service in Atmel 802.11b VNET-B Access Point 1.3 and earlier, as
used in Netgear ME102 and Linksys WAP11, accepts arbitrary community
strings with requested MIB modifications, which allows remote
attackers to obtain sensitive information such as WEP keys, cause a
denial of service, or gain access to the network.
||SNMP agents in 3Com AirConnect AP-4111 and Symbol 41X1 Access Point
allow remote attackers to obtain the WEP encryption key by reading it
from a MIB when the value should be write-only, via (1)
dot11WEPDefaultKeyValue in the dot11WEPDefaultKeysTable of the IEEE
802.11b MIB, or (2) ap128bWepKeyValue in the ap128bWEPKeyTable in the
||Cisco 340-series Aironet access point using firmware 11.01 does not
use 6 of the 24 available IV bits for WEP encryption, which makes it
easier for remote attackers to mount brute force attacks.
||Lucent/ORiNOCO WaveLAN cards generate predictable Initialization
Vector (IV) values for the Wireless Encryption Protocol (WEP) which
allows remote attackers to quickly compile information that will let
them decrypt messages.