Cisco has just free a newsecurity advisorythat details what caused the address storm that lately afflicted Duke University ’s wireless net .
The advisory , posted on the company ’s Web site , say that Cisco ’s wireless LAN controllers have “ multiple vulnerability in the manipulation of Address Resolution Protocol ( ARP ) packet boat . ” These vulnerability “ could leave in a disaffirmation of inspection and repair ( DoS ) in sure environments . ” The vender is offering detached computer software to piece this problem , and notice that “ there are workarounds to mitigate the effect of these vulnerabilities . ”
In keeping with Cisco ’s standard format , the advisory makes no reference to the events at Duke , which were first reported a hebdomad ago . At the time , intermittent floods or storms of ARP request were taking 20 to 30 WLAN admittance point off line for 10 to 15 minutes . The events involve the newly released Apple iPhone .
But a Cisco spokesman support that the advisory mass with the problem expose at Duke . “ To engagement , we have not seen far-flung issue relating to Apple iPhone across our customer ’ networks , ” the spokesman wrote in an tocopherol - mail response .
The baffling problem , occurring at least nine times at Duke over about a week , trigger off a wave of reader surmise , rants , and good word on Networkworld.com and other cyberspace technical school site .
The advisory finally makes it clean that the iPhone simply triggered the ARP storm that were made possible by the restrainer vulnerabilities . Any other wireless node twist , moving from one subnet to another plainly could have done the same thing .
allot to the advisory , the vulnerabilities are find in versions 4.1 , 4.0 , and 3.2 and earlier of the company ’s Wireless LAN Controller software system . touch on products include the 4100 and 4400 serial of controllers , the earliest Cisco - Airespace 4000 series restrainer ( introduce shortly afterCisco develop Airespace ) , the Catalyst 6500 series Wireless Services Module ( WiSM , a single - board version of the controller ) , and the Catalyst 3750 Integrated Wireless LAN Controller .
Many other merchandise are immune to these vulnerabilities , harmonize to Cisco , include the 2000 and 2100 series controllers , various suffer - alone entree points , and the 3800 , 2800 , and 1800 series of Integrated Services Routers .
The identified vulnerabilities relate to a unicast ARP request which in sure circumstances can be inundate on the LAN links between a grouping of WLAN controllers ( Cisco calls this a “ mobility group ” ) .
The consultative eminence that IP Version 4 hosts use a method , specified in the IETF stock RFC 4436 , to detect if they have re - attach to a web to which they had antecedently been attach . If so , the host may not have to request a new DHCP address letting if the current lease is still alive , allot to the advisory . To determine this re - adherence , the master of ceremonies host sends a unicast ARP request to the default gateway that it had previously used .
But the comptroller may bollocks this petition , sparking the ARP violent storm . For this to befall , two vulnerable Cisco WLAN controller , attached to the same set of Layer-2 VLANs , “ must each have a context for the wireless client , ” according to the advisory . That shared context can occur “ after a Layer-3 ( cross - subnet ) roam by the node ” or when a guest WLAN is in function .
“ If the client place a unicast ARP petition with a destination MAC address that has not been learned by the Layer-2 infrastructure , that request will be flooded to all port in the Layer-2 demesne ” after drop dead the first WLAN accountant . The second controller then reprocesses the ARP request and incorrectly re - forrard this packet back into the meshwork .
If the ARP unicast feature of speech is enabled on the control , the controller will re - forward beam ARP packets targeting the address of a known client context . “ This creates an ARP storm if more than one [ controller ] is install on the corresponding VLAN , ” fit in to the advisory .
The trigger for the ARP storm or flood in a WLAN configure as line is manifestly a wireless node that go from one IP subnet to another . This was in fact the behavior observe by Duke ’s IT group , with a humble figure of iPhones . It was initially believe that the iPhone itself was generating the ARP flood tide .
Cisco will release software system updates for variation 3.2 and 4.0 of the restrainer software on July 27 . An update for reading 4.1 obviously is now usable from Cisco . Further , Cisco recommend that executive ask all clients to obtain their IP reference from a DHCP server . To implement this , all WLANs can be configure with a “ DHCP demand ” setting . That will block any wireless customer with a static IP reference . The consultive note this will “ not be effective against measured attempts to craft packets that produce an ARP storm . ”
Duke CIO Tracy Futhey in a Web post last Friday bring out that the problem position with Cisco equipment and not the iPhone itself , but did not supply details .
