03-04-2014 02:41 AM
I installed a new set of Aruba 105's at a remote office running Corporate access with Radius Auth and Guest access with password Auth, both on separate non-routed vlans. The Version is 18.104.22.168-22.214.171.124_38110.
We also have the identical setup at our main office running Version 126.96.36.199-188.8.131.52_35899.
A pen tester found that if you authenticate to the remote office guest wireless, then revisit the url a few times (https://securelogin.arubanetworks.com/swarm.cgi?opcode=cp_generate&orig_url=687474703a2f2f736c617368646f742e6f72672f).
The config, including Admin user/password and Radius password are displayed in plain text.
Then - very scary, if you go to the URL https://securelogin.arubanetworks.com/#home (dispite being on a separarte vlan) you get the contoller home page, which you can log in to with the previously found admin user/pass.
This was mitigated by simply going to Settings>General>Deny inter user bridging - Enable and Deny local routing - Enable.
At our main office (Version 184.108.40.206-220.127.116.11_35899) these settings are Disabled, but I am unable to replicate the issue here. So it must be a vulnerability with 18.104.22.168-22.214.171.124_38110.
Has anyone come across this vulnerability before and know if it is fixed in later versions?
03-04-2014 03:22 AM
You are running very old code. Please upgrade to the latest, which has the fix.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
03-04-2014 06:00 AM
Its not that old, the 105's were purchased a few months ago and shipped with this version. We are running a much older version without this vulnerability. Do you know if this vulnerability is documented anywhere?