Full Disclosure mailing list archives
Re: Cisco Security Advisory: Wireless ARP Storm Vulnerabilities - aka iPhoneDoS
From: coderman <coderman () gmail com>
Date: Tue, 24 Jul 2007 11:27:22 -0700
On 7/24/07, Cisco Systems Product Security Incident Response Team <psirt () cisco com> exposed their shame as such:
... Cisco Wireless LAN Controllers (WLC) contain multiple vulnerabilities in the handling of Address Resolution Protocol (ARP) packets that could result in a denial of service (DoS) in certain environments.
hey, that's a feature! just sit back and let aircrack-ptw go to town! uNF!
The WLC contains vulnerabilities in the processing of unicast ARP traffic where a unicast ARP request may be flooded on the LAN links between Wireless LAN Controllers in a mobility group.
unicast == broadcast? that's some funny shit, cisco. how long you been doing this networking stuff? (ok, centralized MAC's for wifi are not old hat, but still...)
A vulnerable WLC may mishandle unicast ARP requests from a wireless client leading to an ARP storm. In order for the vulnerability to be exposed, two WLCs attached to the same set of Layer-2 VLANs must each have a context for the wireless client. This can occur after a Layer-3 (cross-subnet) roam or when guest WLAN (auto-anchor) is in use.
this is almost as much fun as associating to an AP with its own MAC, then doing a DHCP. (when it works, it's hilarious!)
... This vulnerability is documented as CSCsj69233. ... This vulnerability is documented as CSCsj50374 ... This vulnerability is documented as CSCsj70841. ... This behavior has been corrected as part of CSCsj70841.
a few stones uncovered eh.. thanks for the lolz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Cisco Security Advisory: Wireless ARP Storm Vulnerabilities - aka iPhoneDoS coderman (Jul 24)