The problem applies to Cisco access points operating in Lightweight Access Point Protocol (LWAPP) mode, which are controlled by a separate WLAN switch. According to a security advisory on Ciscos Web site, the access points "may allow unauthenticated end hosts to send unencrypted traffic to a secure network by sending frames from the MAC (Media Access Control) address of an already authenticated end host."
"Such traffic needs to be sourced from the MAC address of a legitimate, already authenticated end host," the advisory says. "By exploiting this vulnerability, an attacker may send malicious traffic into a secure network. Legitimate end hosts will still communicate with the access point in an encrypted manner."
Specifically the vulnerability applies to Cisco 1200, 1131, and 1240 series access points that are controlled by Cisco 2000 and 4400 series Airespace Wireless LAN (WLAN) Controllers. Access points that run autonomous mode are not affected.
The problem can be solved with a free upgrade to the software on the controller, a spokesman for Cisco said. (In LWAPP mode of operation, it is not possible to change the software on the access points individually. Such access points download their software from the WLAN controller.)