Extreme Networks

Summary

AirSnitch is a set of Wi‑Fi client‑isolation bypass techniques and associated testing tools that exploit weaknesses in how Wi‑Fi encryption, access point packet switching, and IP routing are implemented across multiple vendors’ products. The attacks allow a malicious client already connected to the same wireless network to intercept or inject traffic to other clients or internal systems, despite client‑isolation features being enabled. Successful exploitation can enable man‑in‑the‑middle scenarios, unauthorized access to sensitive data, and follow‑on attacks at higher protocol layers

Products Potentially Affected

Repair Recommendations:

ExtremeCloud IQ Controller (IQC/XCC):

• Create VLAN and assign rules to the VLAN, Rules can be L2 or L3, L4 rules with source/destination mac address/port blocking
• Configure → policy → role → Add new VLAN and assign roles
• Map this role to the corresponding network as default role and Select default VLAN as B@AC
• Select the network → Select advanced tab → Disable client to client communication
• To block non-essential Broadcast traffic:
• Configure → Policy → VLAN → B@AC → disable non-essential broadcast traffic

IQ Engine (HiveOS):

• IQ Engine/HiveOS supports configurations where the GTK can be scoped per VLAN instead of being shared across all clients on a BSSID.
• Scoping the GTK per VLAN helps limit the blast radius of GTK based abuse to a single VLAN, preventing a client on VLAN A from using its GTK to inject traffic to clients on VLAN B, even when they share the same SSID.

WiNG:

• To mitigate the AirSnitch vulnerability, disable the forwarding of multicast/broadcast packets to a group on the WLAN by executing the following command under each WLAN policy
• #no downstream-group-addressed-forwarding

NOTE: For step-by-step instructions or guidance, please refer to this knowledge article. 

Please see the full Security Advisory article here for more details and future updates.