The vulnerability is due to insufficient security protections during wireless access point association sequences. At startup, lightweight wireless access points without a configuration use OTAP to seek out and associate with a Cisco Wireless LAN Controller.
Administrators may configure access points with a preferred controller list that will bypass the OTAP provisioning process. LSCs can be provisioned on Cisco access points and Wireless LAN Controllers and are used to authenticate the access points to the Wireless LAN Controller and vice versa. LSCs provide an additional layer of security due to the certificate authentication that is required between the Cisco access point and Wireless LAN Controller. When Cisco access points are provisioned with LSCs, they will not register to a rogue Wireless LAN Controller because the access point will not be able to properly authenticate it.
Devices without preconfigured controller lists or LSCs have no method of distinguishing valid controllers from malicious ones.
An unauthenticated, remote attacker could exploit this vulnerability by injecting RRM packets onto the wireless network while an unconfigured access point starts up. The injection of malicious RRM packets could manipulate the OTAP process to cause the device to associate to the attacker's controller.
As a result, wireless clients that are associating to the rogue access point will be unable to access legitimate network resources, resulting in a DoS condition.