Cisco Wireless ARP Storm Vulnerabilities

DOS possible in latest released details for Cisco Wireless LAN Controllers. Workarounds and updates available.

The WLC contains vulnerabilities in the processing of unicast ARP traffic where a unicast ARP request may be flooded on the LAN links between Wireless LAN Controllers in a mobility group...
If the client sends a unicast ARP request with a destination MAC address that has not been learned by the Layer-2 infrastructure, that request will be flooded to all ports in the Layer-2 domain after egressing the WLC. This allows the second WLC to reprocess the ARP request and incorrectly reforward this packet back into the network...
If the arpunicast feature has been enabled on the WLC, the WLC will re-forward broadcast ARP packets targeting the IP address of a known client context. This creates an ARP storm if more than one WLC is installed on the corresponding VLAN...
In a Layer-3 (L3) roaming scenario, a wireless client moves from one controller to another where the wireless LAN interfaces configured on different controllers are on different IP subnets. In this scenario, a unicast ARP may not tunneled back to the anchor controller, but may instead be sent by the foreign controller out to a local VLAN...

Link