Article

Cisco issues warning for wireless LAN controller flaws

Robert Westervelt, News Director

Cisco Systems Inc. issued an advisory today warning customers of several vulnerabilities in its wireless LAN controllers that could be exploited remotely to conduct a denial of service attack.

The Cisco 4100 and 4400 series wireless LAN controllers are affected as well as its Airespace 4000 series, its Catalyst 3750 series integrated wireless LAN controllers and its Catalyst 6500 series wireless services module (WiSM), according to the

    Requires Free Membership to View

advisory, Cisco issued today.

The issue first came to light during a series of incidents at Duke University last week, when the Durham, N.C. school experienced temporary disruptions to its wireless network.

"Those conditions involve our deployment of a very large Cisco-based wireless network that supports multiple network protocols," said Tracy Futhey, Duke's chief information officer in a statement issued last week.

Futhey said Cisco provided a fix which was applied to Duke's network and there have been no recurrences of the problem since.

Cisco wireless LANs are used in homes and businesses to allow devices to communicate without being connected to a network with a cable. The problems are associated with the address resolution protocol (ARP), which provides a mapping between a device's IP address and its hardware address on the local network. The controllers contain flaws when "processing unicast ARP traffic where a unicast ARP request may be flooded on the LAN links between Wireless LAN Controllers in a mobility group." An attacker does not need to authenticate to exploit the vulnerability, Cisco said.

A software patch will be issued for the affected devices on July 27 for versions 3.2 and 4.0 of the devices. An update for version 4.1 is now available from Cisco. As a workaround, "Cisco recommends that operators require all clients to obtain their IP addresses from a DHCP server. To enforce this requirement, all WLANs can be configured with a DHCP Required setting, which disallows client static IP addresses."

Cisco will release software updates for versions 3.2 and 4.0 of the controller software on July 27.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: