• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: IEEE 802.11b Arp Cache Poisoning Man-in-the-Middle Vulnerability

Severity: CRITICAL

Description:

802.11b is the wireless protocol specification published by the IEEE.

A problem in the implementation the standard could allow an arbitrary user on the wireless network to perform a man-in-the-middle attack. This attack could be launched from the wireless network, and affect any host on the wireless or wired network within the same broadcast domain.

The problem is in the implementation of the 802.11b protocol, in relation of Address Resolution Protocol requests. Like standard Ethernet, 802.11b relies on the system of Address Resolution Protocol (ARP)-to-Internet Protocol (IP) for finding hosts on the local network. Also like standard Ethernet, ARP is broadcast over the entire broadcast domain, which includes the wireless network, as well as the wired network, and is cached on all systems within the broadcast domain. The Wireless Access Point typically acts as a hub, forwarding ARP traffic across it's interfaces.

It is possible to use one of many available ARP spoofing tools, or manually spoof ARP requests to re-route traffic intended for a host through an arbitrary host. Due to the forwarding of ARP traffic across the Wireless Access Point, it is possible to re-route traffic from systems both on the wireless network, and also systems on the wired network, up to and including the router.

This vulnerability may be exploited only within the confines of local network, or broadcast domain. ARP traffic is not forwarded across the router (with the exception of some configurations that use tunnels to forward ARP requests, which could place segments of network that received tunnelled ARP traffic at risk).

Affected Products:

• IEEE 802.11b 0.0.0
• Microsoft Windows XP Home
• Microsoft Windows XP Home SP1
• Microsoft Windows XP Professional
• Microsoft Windows XP Professional SP1

References:

• Cigital: Cigital Discovers Wireless Attacks That Expose Wired Networks
• Cigital: Wireless Access Points and ARP Poisoning
• Cigital: Wireless Vulnerability FAQ

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.