Wireless Vulnerabilities & Exploits
Wireless Vulnerabilities & Exploits
WVE ID: WVE-2006-0050
Type: Vulnerability
Status: Candidate
Classification:
Denial of Service
Description:
Multiple IEEE 802.11 wireless LAN clients are vulnerable to a DoS attack when an attacker impersonates a valid access point but reports an invalid channel number in beacon frames.
Discussion:
IEEE 802.11 beacon frames include a variable number of managment parameters including the mandatory Distribution System (DS) Parameter Set field which indicates the channel number used by the access point. Client systems use the contents of the DS Parameter Set field to configure the radio interface for the operating channel of the target access point.
By transmitting spoofed beacon frames with an invalid channel number, an attacker can mount a DoS attack against all clients associated with the target access point. Upon receiving the spoofed beacon, the wireless stations will reconfigure the wireless card to switch to the advertised channel number. Since the channel number is invalid, the stations will be unable to communicate until a timeout duration expires and they switch to a valid channel. Repeating the malformed beacon transmission sustains the attack.
This attack has been confirmed against several wireless cards using tools such as file2air and CommView for Wifi. Invalid channels include any channel not specifically supported by the target wireless stations such as channel 0, channel 255 or even channel 14 for stations operating in locations where channel 14 is not allowed.
Credits
Author:
LittleW0lf
(ltlw0lf@cox.net)
: None
References
URL:
http://standards.ieee.org/getieee802/download/802.11-1999.pdf
WVE:
WVE-2005-0059
Released: 2006-06-01
Submitter
Joshua
Wright
(jwright@arubanetworks.com)
: Aruba Networks
Submitted: Thu Jun 01 08:54:37 -0700 2006
Candidate Date: Thu Jun 01 09:35:19 -0700 2006
