Wireless Vulnerabilities & Exploits
Wireless Vulnerabilities & Exploits
WVE ID: WVE-2008-0004
Type: Vulnerability
Status: Candidate
Classification:
Denial of Service
Description:
In Draft 2.0 IEEE 802.11n 2.4 GHz networks, an unauthenticated client can degrade network performance by forcing all devices to revert from 40 MHz to 20 MHz mode.
Discussion:
Draft 2.0 of the 802.11n specification is widely adopted by client and AP vendors for early access to the specification features. Part of the functionality in 802.11n networks is the ability to leverage 40 MHz channels instead of the standard 20 MHz channels used in 802.11a/g networks.
Section 9.20.4 of the draft indicates that a client can use the High Throughput (HT) capability Information Element (IE) in an association request frame to trigger a Basic Service Set (BSS) width event to determine if 40 or 20 MHz channels can be used. A client that does not support 40 MHz channels may set the HT capability "intolerant bit" to indicate that it is unable to participate in a 40 MHz BSS. Upon receiving this information, an AP will revert to the 20 MHz mode of operation when operating in the 2.4 GHz band, effectively reducing the bandwidth allocated to all users on the AP. Section 9.20.4 continues to indicate that the AP must stay in 20 MHz until 30 minutes have elapsed where there were no 40 MHz intolerance reports.
Since the HT capability IE is transmitted in an association request frame, an unauthenticated attacker is able to influence the effective bandwidth of the network, creating a degradation of service for all AP users for at least 30 minutes.
Credits
References
URL:
http://www.willhackforsushi.com/presentations/rsa2008-wright.pdf
Released: 2008-04-10
Submitter
Joshua
Wright
(jwright@arubanetworks.com)
: Aruba Networks
Submitted: Wed Apr 09 14:54:10 -0700 2008
Candidate Date: Wed Apr 09 15:30:51 -0700 2008
