Cisco Multiple Products Wireless ARP Requests Denial of Service
Secunia Advisory: SA26161Release Date: 2007-07-25
Last Update: 2007-07-27
Critical: Moderately critical
Impact: DoS
Where: From local network
Solution Status: Partial Fix
OS: Cisco 4400 Series Wireless LAN Controller
Cisco Catalyst 3750 Series Integrated Wireless LAN Controllers
Software: Cisco Catalyst 6500 Series Wireless Service Module (WiSM)
CVE reference: CVE-2007-4011
CVE-2007-4012
Description:
Some vulnerabilities have been reported in multiple Cisco products, which can be exploited by malicious people to cause a DoS (Denial of Service).
1) Certain Cisco Wireless Lan Controllers (WLCs) do not correctly handle unicast ARP requests from MAC addresses that are unknown to the Layer-2 infrastructure, causing a second WLC to incorrectly re-forward the ARP request back into the network.
Successful exploitation allows to cause a DoS due to heavy network traffic, but requires that two WLCs are attached to the same set of Layer-2 VLANs and each have a context for the wireless client, e.g. if a guest WLAN (auto-anchor) is used or after a Layer-3 (cross-subnet) roam.
2) Broadcast ARP packets for the IP address of a known client context are not correctly handled and re-forwarded into the network.
Successful exploitation allows to cause a DoS due to heavy network traffic, but requires that more than 1 WLC is installed for the corresponding network and that the arpunicast feature is enabled.
Note: This affects version 4.1 only.
3) In certain Layer-3 (L3) roaming scenarios (e.g. when wireless clients move from one controller to another and the wireless LAN interfaces are configured on different controllers which are on different IP subnets), a foreign controller may send a unicast ARP request out to a local VLAN.
The vulnerabilities are reported in software versions 4.1, 4.0, 3.2, and prior in for the following products:
* Cisco 4100 Series Wireless LAN Controllers
* Cisco 4400 Series Wireless LAN Controllers
* Cisco Airespace 4000 Series Wireless LAN Controller
* Cisco Catalyst 6500 Series Wireless Services Module (WiSM)
* Cisco Catalyst 3750 Series Integrated Wireless LAN Controllers
Solution:
Version 3.2:
Reportedly, an update will be available 27-July-2007.
Version 4.0:
Reportedly, an update will be available 27-July-2007.
Version 4.1:
Update to version 4.1.181.0.
Provided and/or discovered by:
Reported to the vendor by customers.
Changelog:
2007-07-27: Added CVE reference.
Original Advisory:
http://www.cisco.com/warp/public/707/cisco-sa-20070724-arp.shtml
Labels: Vulnerability, Wireless
<< Home