Notified:  May 12, 2004 Updated: June 07, 2004

Status

Affected

Vendor Statement

Aruba Wireless Networks Security Advisory Title: IEEE 802.11 wireless network protocol DSSS CCA algorithm vulnerable to denial of service Aruba Advisory ID: AID-04172004 Revision: 1.0 For Public Release on 04/17/2004 at 23:00 (GMT) References: CERT Vulnerability Note VU#106678 SUMMARY A Denial of Service vulnerability for 802.11 devices was made public on 05/13/2004 by http://www.cert.org. The vulnerability alert disclosed how an attacker using an 802.11 device could mount a denial of service attack exploiting the CCA function of the 802.11 MAC. This attack would cause the 802.11 devices within the physical vicinity of the attacker to assume that the channel is busy and withhold their transmissions. PRODUCTS AND FIRMWARE VERSIONS AFFECTED Hardware: All Aruba Wireless Networks Platform. Software: All available versions affected. DETAILS The 802.11 MAC is based on the Carrier Sense Multiple Access/Collision Avoidance (CSMA/CA), which determines the sequence in which WLAN devices on the same channel can transmit their packets in order to minimize the chances of two simultaneous transmissions. One of the primary functions in CSMA/CA is the Clear Channel Assessment (CCA) which requires every device with a packet to transmit to first determine if that particular channel is free. If this device senses the presence of a signal on that channel, then CCA dictates this device to withhold its own transmission pending the completion of what is being sensed as the current packet transmission. The CCA function has an inherent vulnerability that could be exploited by an attacker sending a continuous transmission on that channel. This can cause all devices within hearing distance of the attacker's device to sense the channel to be busy and withhold their own transmissions leading this to a denial of service on that channel. This vulnerability is inherent to the CCA function of the 802.11 MAC and it is expected to affect almost all 802.11 devices that are currently being used in the world today. It is not vendor specific implementation vulnerability. In order for an attacker to exploit this vulnerability, the attacker has to be physically close to the devices under attack. IMPACT An attacker could cause all 802.11 devices within a certain physical distance from the attacker's device to sense the channel to be busy and make the channel unusable for those valid 802.11 devices. All 802.11 devices operate in unlicensed bands and are subject to interference from other devices present in these bands, such as: microwave ovens, Bluetooth devices, baby monitors, cordless telephones. When these devices are operated at the same time as a 802.11b or 802.11g Wireless network, they cause interference to each other. It is possible for any of these devices to cause enough interference to each other that could make the channel almost unusable. This is a small price to pay for operating in the unlicensed bands. WORKAROUNDS Currently, there are no known workarounds for the vulnerability in CCA. SOLUTION Aruba's products have the ability to detect interference that is being faced by the Aruba APs and associated stations, but not currently implemented for this specific attack. Aruba is working on advanced heuristics not only to detect and alert this attack, but also have our radio resource assignment algorithms to workaround such attacks by changing the channel assignments on our APs once this attack is detected. We are also working with our chipset vendors to build logic into their products that will enable us, in the future, to detect such attacks and, possibly, pinpoint the physical location of the source of these attacks. OBTAINING FIXED FIRMWARES There is no current firmware with the enhancements described above. Once one become available, this document will be updated. Aruba Support contacts are as follows: 1-800-WiFiLAN (1-800-943-4526) (toll free from within North America) +1-408-754-1200 (toll call from anywhere in the world) e-mail: support(at)arubanetworks.com web: http://www.arubanetworks.com/support Please, do not contact either ôwsirt(at)arubanetworks.com" or "security(at)arubanetworks.com" for software upgrades. EXPLOITATION AND PUBLIC ANNOUNCEMENTS This vulnerability has been announced at http://www.kb.cert.org/vuls/id/106678 STATUS OF THIS NOTICE: Interim This is an Interim advisory. Although Aruba Wireless networks cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Aruba Wireless Networks does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Aruba Wireless Networks may update this advisory. A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. DISTRIBUTION OF THIS ANNOUCEMENT This advisory will be posted on Aruba's website at http://www.arubanetworks.com/support/wsirt/alerts/AID-04172004.asc In addition to worldwide web posting, a text version of this notice is clear-signed with the Aruba WSIRT PGP key having the fingerprint AB90 36CE 259C 7BA1 4FAF 62F8 3EF2 6968 39C3 A3C0 and is posted to the following e-mail recipients. * cert@cert.org Future updates of this advisory, if any, will be placed on Aruba's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. REVISION HISTORY Revision 1.0 /04-15-2004 / Initial release ARUBA WSIRT SECURITY PROCEDURES Complete information on reporting security vulnerabilities in Aruba Wireless Networks products, obtaining assistance with security incidents is available at http://www.arubanetworks.com/support/wsirt.php For reporting *NEW* Aruba Wireless Networks security issues, email can be sent to wsirt(at)arubanetworks.com or security(at)arubanetworks.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at http://www.arubanetworks.com/support/wsirt.php (c) Copyright 2004 by Aruba Wireless Networks, Inc. This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.