CERT-In Advisory CIAD-2007-39
Wireless ARP Storm Vulnerabilities
Original issue date:
July 26, 2007
Severity Rating: Low
Systems Affected
- Cisco 4100 Series Wireless LAN Controllers
- Cisco 4400 Series Wireless LAN Controllers
- Cisco Airespace 4000 Series Wireless LAN Controller
- Cisco Catalyst 6500 Series Wireless Services Module (WiSM)
- Cisco Catalyst 3750 Series Integrated Wireless LAN Controllers
Overview
Cisco Wireless LAN (WLAN) Controller contains multiple vulnerability in ARP response. An ARP storm may be generated which subsequently lead to a Denial of Service (DoS) condition.
Description
The address Resolution protocol (ARP) maps hardware address to IP address. On a wireless LAN, a Wireless LAN Controller is used for management function. Because of the vulnerability in processing of unicast ARP traffic, If a client sends unicast ARP request with destination MAC address that has not been learned by the Layer-2 infrastructure, the request will be flooded to all ports in the Layer-2 domain after e-gressing the WLC. This allows the second WLC to reprocess the ARP request and incorrectly reforward this packet back into the network. If the arp-unicast feature has been enabled on the WLC, the WLC will re-forward broadcast ARP packets targeting the IP address of a known client context. This creates an ARP storm if more than one WLC is installed on the corresponding VLAN.
Workaround
Any client with a static IP address should not be allowed on the network, rather only DHCP clients should be permitted.
Vendor Information http://www.cisco.com/warp/public/707/cisco-sa-20070724-arp.shtml
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
