search menu icon-carat-right cmu-wordmark

CERT Coordination Center


IEEE 802.11 wireless network protocol DSSS CCA algorithm vulnerable to denial of service

Vulnerability Note VU#106678

Original Release Date: 2004-05-13 | Last Revised: 2008-02-15

Overview

The IEEE 802.11 wireless networking protocol contains a vulnerability that could allow a remote attacker to cause a denial of service to any wireless device within range.

Description

IEEE 802.11 wireless network protocols use a Clear Channel Assessment (CCA) algorithm to determine whether or not the radio frequency (RF) channel is clear so that a device on the network can transmit data. The CCA algorithm used in conjunction with Direct Sequence Spread Spectrum (DSSS) transmission is vulnerable to an attack in which a specially crafted RF signal (PLME_DSSSTESTMODE) will cause the algorithm to conclude that the channel is busy, so that no device in range of the signal will transmit data. This type of signal is sometimes called "jabber." The attacker must be actively transmitting a signal and within range to affect wireless devices.

This vulnerability is more thoroughly documented in AusCERT Advisory AA-2004.02. AusCERT notes that devices that use 802.11 and DSSS transmission encoding are affected:

Wireless hardware devices that implement IEEE 802.11 using a DSSS physical layer. Includes IEEE 802.11, 802.11b and low-speed (below 20Mbps) 802.11g wireless devices. Excludes IEEE 802.11a and high-speed (above 20Mbps) 802.11g wireless devices.
This is not an implementation vulnerability; any 802.11 DSSS device, including wireless network cards and access points, is vulnerable. WEP, WPA, or other WLAN security features will not protect vulnerable devices. As explained in a Technical Summary by researchers at the Queensland University of Technology (QUT) Information Security Research Centre (ISRC), this vulnerability exists in the Packet Layer Convergence Procedure (PLCP) layer, below the MAC layer. MAC layer security will not mitigate this vulnerability.

It is worth noting that since 802.11 management frames are weakly authenticated (VU#391513), it is possible for an attacker to DoS an 802.11 network by sending de-authentication or failed authentication frames using the spoofed MAC and IP addresses of an access point. Tools that perform this type of attack are publicly available (FATA-jack, airjack, wlan-jack). While the CCA attack may be less expensive for an attacker, both attacks have similar characteristics (active attacker in range using commodity hardware) and impacts (DoS while attacker is in range and active). Wireless networks in general are also subject to RF interference or jamming. Careful consideration should be given to the use of commercial grade wireless networks for applications that require high availability.

Impact

An unauthenticated, remote attacker can cause any vulnerable device within range to stop transmitting, causing a denial of service.

Solution

A complete solution is not available for 802.11 DSSS devices. As noted by AusCERT, "...a comprehensive solution, in the form of software or firmware upgrade, is not available for retrofit to existing devices. Fundamentally, the issue is inherent in the protocol implementation of IEEE 802.11 DSSS." Sites running wireless networks should consider security and availability requirements, network design, and the workarounds listed below.


Use non-DSSS 802.11 protocols

802.11 protocols that use frequency hopping spread spectrum (FHSS) or orthogonal frequency division multiplexing (OFDM) are not affected by this vulnerability. 802.11a uses OFDM, 802.11 can use FHSS, and 802.11g can use OFDM. Note that this workaround will not provide protection against management frame spoofing or RF attacks.

Constrain wireless networks

Depending on the application and site infrastructure, it may be possible to prevent attackers from getting in range of 802.11 networks by using physical barriers (walls, fences, elevation, etc.). In addition, different building materials provide various degrees of shielding.

Do not rely on 802.11 for high availability

Due to the inherent vulnerabilities in 802.11 (VU#106678, VU#391513, RF interference), do not deploy 802.11 networks for applications that require high availability (e.g. safety, critical infrastructure).

Vendor Information

106678
Expand all

Aruba Networks

Notified:  May 12, 2004 Updated:  June 07, 2004

Status

  Vulnerable

Vendor Statement

--------------------------------------------------------------------------


     Aruba Wireless Networks Security Advisory

Title: IEEE 802.11 wireless network protocol DSSS CCA algorithm vulnerable
to denial of service
Aruba Advisory ID: AID-04172004
Revision: 1.0
For Public Release on 04/17/2004 at 23:00 (GMT)
References: CERT Vulnerability Note VU#106678


--------------------------------------------------------------------------

SUMMARY

A Denial of Service vulnerability for 802.11 devices was made public on
05/13/2004 by
http://www.cert.org. The vulnerability alert disclosed how
an attacker using an 802.11 device could mount a denial of service attack
exploiting the CCA function of the 802.11 MAC. This attack would cause the
802.11 devices within the physical vicinity of the attacker to assume that
the channel is busy and withhold their transmissions.


PRODUCTS AND FIRMWARE VERSIONS AFFECTED

Hardware: All Aruba Wireless Networks Platform.
Software: All available versions affected.


DETAILS

The 802.11 MAC is based on the Carrier Sense Multiple Access/Collision
Avoidance (CSMA/CA), which determines the sequence in which WLAN devices
on the same channel can transmit their packets in order to minimize the
chances of two simultaneous transmissions.
One of the primary functions in CSMA/CA is the Clear Channel Assessment
(CCA) which requires every device with a packet to transmit to first
determine if that particular channel is free. If this device senses the
presence of a signal on that channel, then CCA dictates this device to
withhold its own transmission pending the completion of what is being
sensed as the current packet transmission.

The CCA function has an inherent vulnerability that could be exploited by
an attacker sending a continuous transmission on that channel. This can
cause all devices within hearing distance of the attacker's device to
sense the channel to be busy and withhold their own transmissions leading
this to a denial of service on that channel.

This vulnerability is inherent to the CCA function of the 802.11 MAC and
it is expected to affect almost all 802.11 devices that are currently
being used in the world today. It is not vendor specific implementation
vulnerability.

In order for an attacker to exploit this vulnerability, the attacker has
to be physically close to the devices under attack.

IMPACT

An attacker could cause all 802.11 devices within a certain physical
distance from the attacker's device to sense the channel to be busy and
make the channel unusable for those valid 802.11 devices.

All 802.11 devices operate in unlicensed bands and are subject to
interference from other devices present in these bands, such as: microwave
ovens, Bluetooth devices, baby monitors, cordless telephones.
When these devices are operated at the same time as a 802.11b or 802.11g
Wireless network, they cause interference to each other. It is possible
for any of these devices to cause enough interference to each other that
could make the channel almost unusable. This is a small price to pay for
operating in the unlicensed bands.

WORKAROUNDS

Currently, there are no known workarounds for the vulnerability in CCA.

SOLUTION

Aruba's products have the ability to detect interference that is being
faced by the Aruba APs and associated stations, but not currently
implemented for this specific attack.
Aruba is working on advanced heuristics not only to detect and alert this
attack, but also have our radio resource assignment algorithms to
workaround such attacks by changing the channel assignments on our APs
once this attack is detected.

We are also working with our chipset vendors to build logic into their
products that will enable us, in the future, to detect such attacks and,
possibly, pinpoint the physical location of the source of these attacks.


OBTAINING FIXED FIRMWARES

There is no current firmware with the enhancements described above.
Once one become available, this document will be updated.


  Aruba Support contacts are as follows:

    1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)
    +1-408-754-1200 (toll call from anywhere in the world)
    e-mail: support(at)arubanetworks.com
    web:
http://www.arubanetworks.com/support

  Please, do not contact either ôwsirt(at)arubanetworks.com" or
"security(at)arubanetworks.com" for software upgrades.


EXPLOITATION AND PUBLIC ANNOUNCEMENTS

This vulnerability has been announced at
http://www.kb.cert.org/vuls/id/106678


STATUS OF THIS NOTICE: Interim


This is an Interim advisory. Although Aruba Wireless networks cannot
guarantee the accuracy of all statements in this advisory, all of the
facts have been checked to the best of our ability. Aruba Wireless
Networks does not anticipate issuing updated versions of this
advisory unless there is some material change in the facts. Should
there be a significant change in the facts, Aruba Wireless Networks
may update this advisory.

A stand-alone copy or paraphrase of the text of this security
advisory that omits the distribution URL in the following section is
an uncontrolled copy, and may lack important information or contain
factual errors.

DISTRIBUTION OF THIS ANNOUCEMENT

     This advisory will be posted on Aruba's website at
     
http://www.arubanetworks.com/support/wsirt/alerts/AID-04172004.asc

In addition to worldwide web posting, a text version of this notice
is clear-signed with the Aruba WSIRT PGP key having the fingerprint
AB90 36CE 259C 7BA1 4FAF  62F8 3EF2 6968 39C3 A3C0 and is posted to
the following e-mail recipients.

    * cert@cert.org

Future updates of this advisory, if any, will be placed on Aruba's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.

REVISION HISTORY


     Revision 1.0 /04-15-2004 / Initial release


ARUBA WSIRT SECURITY PROCEDURES

Complete information on reporting security vulnerabilities in Aruba
Wireless Networks products, obtaining assistance with security
incidents is available at
     
http://www.arubanetworks.com/support/wsirt.php


For reporting *NEW* Aruba Wireless Networks security issues, email
can be sent to wsirt(at)arubanetworks.com or
security(at)arubanetworks.com.
For sensitive information we encourage the use of PGP encryption. Our
public keys can be found at
http://www.arubanetworks.com/support/wsirt.php


     (c) Copyright 2004 by Aruba Wireless Networks, Inc.
This advisory may be redistributed freely after the release date

given at the top of the text, provided that redistributed copies are
complete and unmodified, including all date and version information.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

3Com

Updated:  May 13, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

AT&T

Updated:  May 13, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Alcatel

Updated:  May 13, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Computer, Inc.

Updated:  May 13, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Avaya

Updated:  May 13, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cisco Systems, Inc.

Updated:  May 13, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

D-Link Systems

Updated:  May 13, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Extreme Networks

Updated:  May 13, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Foundry Networks Inc.

Updated:  May 13, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company

Updated:  May 13, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM Corporation

Updated:  May 13, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Juniper Networks, Inc.

Updated:  May 13, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Linksys

Updated:  May 13, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lucent Technologies

Updated:  May 13, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Marconi

Updated:  May 13, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MiTel

Updated:  May 13, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation

Updated:  May 13, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Motorola

Updated:  May 13, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nokia

Updated:  May 13, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nortel Networks, Inc.

Updated:  May 13, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ZyXEL

Updated:  May 13, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

This vulnerability was researched by the Queensland University of Technology (QUT) Information Security Research Centre (ISRC) and coordinated by the Australian Computer Emergency Response Team (AusCERT).

This document was written by Art Manion.

Other Information

CVE IDs: CVE-2004-0459
Severity Metric: 14.11
Date Public: 2004-05-12
Date First Published: 2004-05-13
Date Last Updated: 2008-02-15 23:50 UTC
Document Revision: 36

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.