Software Engineering Institute

Notified:  May 12, 2004 Updated: June 07, 2004

Status

Affected

Vendor Statement

--------------------------------------------------------------------------


     Aruba Wireless Networks Security Advisory

Title: IEEE 802.11 wireless network protocol DSSS CCA algorithm vulnerable
to denial of service
Aruba Advisory ID: AID-04172004
Revision: 1.0
For Public Release on 04/17/2004 at 23:00 (GMT)
References: CERT Vulnerability Note VU#106678


--------------------------------------------------------------------------

SUMMARY

A Denial of Service vulnerability for 802.11 devices was made public on
05/13/2004 by http://www.cert.org. The vulnerability alert disclosed how
an attacker using an 802.11 device could mount a denial of service attack
exploiting the CCA function of the 802.11 MAC. This attack would cause the
802.11 devices within the physical vicinity of the attacker to assume that
the channel is busy and withhold their transmissions.


PRODUCTS AND FIRMWARE VERSIONS AFFECTED

Hardware: All Aruba Wireless Networks Platform.
Software: All available versions affected.


DETAILS

The 802.11 MAC is based on the Carrier Sense Multiple Access/Collision
Avoidance (CSMA/CA), which determines the sequence in which WLAN devices
on the same channel can transmit their packets in order to minimize the
chances of two simultaneous transmissions.
One of the primary functions in CSMA/CA is the Clear Channel Assessment
(CCA) which requires every device with a packet to transmit to first
determine if that particular channel is free. If this device senses the
presence of a signal on that channel, then CCA dictates this device to
withhold its own transmission pending the completion of what is being
sensed as the current packet transmission.

The CCA function has an inherent vulnerability that could be exploited by
an attacker sending a continuous transmission on that channel. This can
cause all devices within hearing distance of the attacker's device to
sense the channel to be busy and withhold their own transmissions leading
this to a denial of service on that channel.

This vulnerability is inherent to the CCA function of the 802.11 MAC and
it is expected to affect almost all 802.11 devices that are currently
being used in the world today. It is not vendor specific implementation
vulnerability.

In order for an attacker to exploit this vulnerability, the attacker has
to be physically close to the devices under attack.

IMPACT

An attacker could cause all 802.11 devices within a certain physical
distance from the attacker's device to sense the channel to be busy and
make the channel unusable for those valid 802.11 devices.

All 802.11 devices operate in unlicensed bands and are subject to
interference from other devices present in these bands, such as: microwave
ovens, Bluetooth devices, baby monitors, cordless telephones.
When these devices are operated at the same time as a 802.11b or 802.11g
Wireless network, they cause interference to each other. It is possible
for any of these devices to cause enough interference to each other that
could make the channel almost unusable. This is a small price to pay for
operating in the unlicensed bands.

WORKAROUNDS

Currently, there are no known workarounds for the vulnerability in CCA.

SOLUTION

Aruba's products have the ability to detect interference that is being
faced by the Aruba APs and associated stations, but not currently
implemented for this specific attack.
Aruba is working on advanced heuristics not only to detect and alert this
attack, but also have our radio resource assignment algorithms to
workaround such attacks by changing the channel assignments on our APs
once this attack is detected.

We are also working with our chipset vendors to build logic into their
products that will enable us, in the future, to detect such attacks and,
possibly, pinpoint the physical location of the source of these attacks.


OBTAINING FIXED FIRMWARES

There is no current firmware with the enhancements described above.
Once one become available, this document will be updated.


  Aruba Support contacts are as follows:

    1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)
    +1-408-754-1200 (toll call from anywhere in the world)
    e-mail: support(at)arubanetworks.com
    web: http://www.arubanetworks.com/support

  Please, do not contact either ôwsirt(at)arubanetworks.com" or
"security(at)arubanetworks.com" for software upgrades.


EXPLOITATION AND PUBLIC ANNOUNCEMENTS

This vulnerability has been announced at
http://www.kb.cert.org/vuls/id/106678


STATUS OF THIS NOTICE: Interim


This is an Interim advisory. Although Aruba Wireless networks cannot
guarantee the accuracy of all statements in this advisory, all of the
facts have been checked to the best of our ability. Aruba Wireless
Networks does not anticipate issuing updated versions of this
advisory unless there is some material change in the facts. Should
there be a significant change in the facts, Aruba Wireless Networks
may update this advisory.

A stand-alone copy or paraphrase of the text of this security
advisory that omits the distribution URL in the following section is
an uncontrolled copy, and may lack important information or contain
factual errors.

DISTRIBUTION OF THIS ANNOUCEMENT

     This advisory will be posted on Aruba's website at
     http://www.arubanetworks.com/support/wsirt/alerts/AID-04172004.asc

In addition to worldwide web posting, a text version of this notice
is clear-signed with the Aruba WSIRT PGP key having the fingerprint
AB90 36CE 259C 7BA1 4FAF  62F8 3EF2 6968 39C3 A3C0 and is posted to
the following e-mail recipients.

    * cert@cert.org

Future updates of this advisory, if any, will be placed on Aruba's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.

REVISION HISTORY


     Revision 1.0 /04-15-2004 / Initial release


ARUBA WSIRT SECURITY PROCEDURES

Complete information on reporting security vulnerabilities in Aruba
Wireless Networks products, obtaining assistance with security
incidents is available at
     http://www.arubanetworks.com/support/wsirt.php


For reporting *NEW* Aruba Wireless Networks security issues, email
can be sent to wsirt(at)arubanetworks.com or
security(at)arubanetworks.com.
For sensitive information we encourage the use of PGP encryption. Our
public keys can be found at
http://www.arubanetworks.com/support/wsirt.php


     (c) Copyright 2004 by Aruba Wireless Networks, Inc.
This advisory may be redistributed freely after the release date

given at the top of the text, provided that redistributed copies are
complete and unmodified, including all date and version information.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.