Wireless Vulnerabilities & Exploits
Wireless Vulnerabilities & Exploits
WVE ID: WVE-2008-0006
Type: Vulnerability
Status: Candidate
Classification:
Denial of Service
Description:
Block acknowledgment window manipulation allows an attacker to mount a DoS attack against 802.11n clients.
Discussion:
IEEE 802.11n introduces a mechanism to positively acknowledge a block of packets, instead of using sequential transmit/acknowledgment exchanges. This is implemented by allowing a transmitter to send an Add Block Acknowledgment (ADDBA) to a recipient, indicating a starting frame sequence number and a window size of frame sequence numbers that the receiver should expect as part of the transmission. A receiver silently accepts frames that have sequence numbers within the current window, delivering a BlockACK message to indicate the sequence numbers successfully received upon request. Frames that are received outside of the current window are dropped.
An attacker can manipulate the block acknowledgment process by transmitting a surreptitious ADDBA frame to the recipient, spoofing the source of the victim. Advertising a window of sequence numbers that is not currently in use by the victim, the attacker can cause the receiver to drop all frames from the victim. While the ADDBA frame is a type of management action frame, this frame is not protected with management frame protection introduced in IEEE 802.11w.
As of draft 4.0 of the 802.11n specification, there is no protection against an ADDBA DoS attack.
Credits
Author:
Doug
Smith
: Cisco Systems
Author:
Jesse
Walker
: Intel Corporation
Author:
Nancy
Cam-Winget
: Cisco Systems
References
URL:
https://mentor.ieee.org/802.11/file/07/11-07-2163-01-000n-a-mpdu-security-issues.ppt
URL:
http://www.willhackforsushi.com/presentations/rsa2008-wright.pdf
Released: 2007-07-16
Submitter
Joshua
Wright
(jwright@arubanetworks.com)
: Aruba Networks
Submitted: Wed Apr 09 17:08:29 -0700 2008
Candidate Date: Wed Apr 09 19:14:42 -0700 2008
