Cisco patches Duke's wireless woes

Nobody's blaming the iPhone now

Cisco Systems Inc. confirmed today that patches for its wireless LAN controllers released Tuesday arose from the investigation of hot-spot failures at Duke University that were originally pinned on Apple Inc.'s iPhone.

Yesterday, Cisco published a vulnerability alert outlining multiple bugs in its Wireless LAN Controllers (WLC) that it said "could result in a denial of service in certain environments."

According to Cisco, the WLC software's handling of Address Resolution Protocol (ARP) traffic is flawed. ARP, a standard network protocol, is used by devices to sniff out, then map, a wireless router's IP address to its media access control (MAC) network address. That way, a Wi-Fi-equipped notebook can reliably roam from one access point to another -- an important consideration in a campuswide network.

When a Wi-Fi device leaves the range of one hot spot and enters another, it uses ARP to whether it is reacquiring a connection to an access point that it has previously visited. The hardware broadcasts -- Cisco dubs it "unicasts" -- the ARP request to the gateway it had just used.

"A vulnerable WLC may mishandle unicast ARP requests from a wireless client leading to an ARP storm," said Cisco in the advisory. In plain English, that means two or more WLCs start passing massive amounts of ARPs back and forth, flooding the network with unnecessary traffic and crashing the access point.

That's exactly what happened at Duke, where a large number of Cisco-managed hot spots were failing under huge loads, as many as 10,000 ARPs per second, according to Network World. Then, however, Duke blamed the crashes on Apple Inc.'s iPhone, which about 150 people were using on the Durham, N.C., college campus.

"I don't believe it's a Cisco problem in any way, shape or form," said Kevin Miller, assistant director of communications infrastructure at the school's Office of Information Technology.

Two days later, however, Duke CIO Tracy Futhey refuted Miller and said the fault was in Cisco's hardware. Tuesday's patches were the result.

"The advisory is tied to the Duke situation," confirmed Cisco spokesman Neil Wu Becker. "You are right. [There is a] direct correlation here."

But Cisco -- as well as Duke and Apple -- remained mum on how, if at all, the iPhone had been involved, even if innocently. The company's spokesman declined to make a company engineer available or to provide additional details. "We aren't conducting interviews on this matter and instead are pointing to the advisory as a means of providing press and, most importantly, customers, with additional information on how this is resolved, how it can be prevented, etc.," said Becker.

The advisory hints that the new smart phone only triggered the so-called ARP storm. The iPhone, which will automatically connect to wireless access points -- and in any case is constantly scanning for available connections unless its owner has turned off Wi-Fi -- was presumably provoking the bug as it moved from one IP subnet to another. Any wireless device traveling between subnets would have also triggered the storm.

Cisco listed three separate vulnerabilities in the alert but has produced an update only for the newest WLC software, Version 4.1. Controllers running older editions -- 3.2 and 4.0 -- won't receive patches until Friday, said Cisco. In the meantime, network administrators can require all client devices to obtain their IP addresses from a Dynamic Host Configuration Protocol server to protect against accidental ARP storms.

The problem is more than just an inconvenience or embarrassment -- two of the assessments by security researchers and users last week -- but could let hackers make mischief, or worse.

"A malicious wireless user could leverage the issue," noted Symantec Corp. in a warning today sent to customers of its DeepSight threat network. The Cisco-recommended work-around, for example, isn't effective against a deliberate ARP storm attack -- sometimes called "ARP poisoning."

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon