The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Cisco Aironet 1300 DoS condition


<< Previous INDEX Search src / Print Next >>
From: "Alex" <netshark@gaiajoy.com.>
To: <bugtraq@securityfocus.com.>
Subject: Cisco Aironet 1300 DoS condition
Date: Tue, 21 Mar 2006 10:08:09 -0000
MIME-Version: 1.0
Content-Type: text/plain;
        charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
In-Reply-To: <20060303200515.14565.qmail@securityfocus.com.>
Thread-Index: AcY/ukPD/aCZN0WNQ+OHtl95xCtJCgNDxLXg
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
Message-Id: <20060321100823.ECFF34A9E@vwall.energaia.pt.>
X-Virus-Scanned: antivirus-gw at tyumen.ru

Cisco Aironet 1300 DoS condition

Synopsis
========
Cisco Aironet 1300 running IOS 12.3(8)JA with default settings is vulnerable
to a DoS condition.

Background
=============
Cisco Aironet 1300 is the state-of-art enterprise p2p wireless repeater from
Cisco.
Supports a wide range of features, including but not limited to vlan
trunking, vlan to SSID mapping, WDS, multiple wireless networks, MAC and IP
filtering, QoS, SNMP, WPA, RADIUS etc..
Its commonly used to link remote hotspot branches/clouds.
===============

Tested on:

Several Aironet 1200/1300 upgraded to IOS 12.3(8)JA. Aironet 1200 are NOT affected. Description
IOS 12.3(8)JA default settings turn on IGMP Snooping helper and WiFi Multimedia (WMM) features even if QoS is turned off. This two combined features generate by default a huge amount of multicast packets sent to all interfaces, wired or wireless through the default vlan. In the release notes, Cisco warns customers about the possibity of degration in the 1300's performance when using these features. Aparently this possibility is underestimated. This condition happens even if the AP is upgraded from an old version. Impact
Wireless connection to the AP becames impossible. Wired connection is seriously affected speccialy in networks with multiple 1300, where the IGMP packets are sent to the whole network. As the 1300 are used tipically in the p2p sections of the wireless network, the instant breakup of the wireless p2p links is a very high possibility. Depending of the topology, some 1300s may be virtually unreacheble through network. Solution
Enter the global configuration mode in the IOS console and issue the following commands: no ip igmp snooping no ip igmp snooping vlan 1 (optional - just to make sure) no dot11 igmp snooping-helper int Dot11Radio0 no dot11 qos mode exit wr ________________________________ Alex Ferreira Sysadmin

<< Previous INDEX Search src / Print Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру