Cisco's ARP Attack
The malicious attack doesn't look as if it will pose much of a challenge to large-scale, remotely managed enterprise deployments, but it could pose a threat to schools and muncipalities, which still have large networks of standalone access points in place.
The advisory, which was posted on Cisco's Website yesterday afternoon, says that the attack could affect many of Cisco's Aironet enterprise WiFi products, such as the 1400 Series wireless bridges; 1300 series APs; Cisco 1200 Series APs; 1100 Series APs; and 350 Series APs running Cisco's IOS operating system. Cisco has posted a software fix for the problem here.
Dell'Oro Group analyst Greg Collins says that since the year 2000 Cisco has sold around 2.5 million Aironet standalone APs. There is no real way to quantify how many of these are now controlled via Cisco's WLSE management platform or newer Airespace controllers, and how many still operate as standalone, independent radio nodes.
Danish security firm Secunia says that the vulnerability allows a hacker to send IP address Resolution Protocol (ARP) messages to the management interface of the access point until it runs out of memory.
"Successful exploitation causes the AP to be unable to pass traffic until the device is restarted, but requires the ability to send ARP messages to the management interface of the AP," Secunia notes in its advisory.
Gary Berzack, CTO at New York-based integrator eTribeca LLC, describes the vulnerability as a "limited problem", even though the alert covers many of Cisco's standalone APs.
"This is a malicious attack... You need proximity, plus access" to the AP itself, says Berzack.
But he thinks that the attack could become an issue for some Cisco WLAN customers that still use standalone access points and don't have the ability to remotely manage their networks.
"The management is the issue... getting access to the APs [which are generally installed in a building's ceiling] and getting the updates installed."
— Dan Jones, Site Editor, Unstrung