Network Management

Reply
Frequent Contributor II

Airwave Vulnerability Concerns

We are currently running Airwave 7.4.5. Our Information Security department completed a vulnerability scan of the server and had several findings that they have asked me to address. One of the most concerning issues was a vulnerability with OpenSSH 4.3. Specifically "OpenSSH X11 Cookie Local Authentication Bypass Vulnerability". Apparently this was vulnerability was resolved in version 4.7. Can anyone confirm if the newest version of Airwave updates OpenSSH? If not, can SSH be disabled completed?

 

Also, there was a vulnerability in OpenSSH X11UseLocalhost configuration. This is already resolved in OpenSSH version 5.1

 

Second, a weak cryptographic key. They have suggested that we generate a longer key and recreate the certificate. Can this be done?

 

I appreciate the input. Thanks

Network Engineer | Airhead | Titus 3:5
Moderator

Re: Airwave Vulnerability Concerns

I don't currently have an AMP 7.4.5 running, but here's the ouput from AMP 7.5.5:

 

# rpm -qa | grep -i openssl
perl-Crypt-OpenSSL-RSA-0.25-10.1.el6.x86_64
openssl098e-0.9.8e-17.el6.centos.2.x86_64
perl-Crypt-OpenSSL-Random-0.04-9.1.el6.x86_64
perl-Crypt-OpenSSL-Bignum-0.04-8.1.el6.x86_64
openssl-1.0.0-20.el6_2.5.x86_64

 

It may be easier for you to upgrade to the latest version and have your security group run their vulnerability scan again.

For certs, you can try following the methods documented in: kb.airwave.com (search keyword: cert).

If you have any difficulties, I believe support has received similar inquiries and might have a quick answer.


Rob Gin
Senior QA Engineer - Network Services
Aruba Networks, a Hewlett Packard Enterprise Company
Frequent Contributor II

Re: Airwave Vulnerability Concerns

Thanks, Rob. I'm definitely planning on upgrading to the newest version. Hopefully that will take care of these issues. I'm still not sure about OpenSSH version though. Shouldn't someone from Aruba be able to confirm what version is in use with the newest version of Airwave?

Network Engineer | Airhead | Titus 3:5
Moderator

Re: Airwave Vulnerability Concerns

# rpm -qa | grep -i openssh
openssh-clients-5.3p1-81.el6.x86_64
openssh-5.3p1-81.el6.x86_64
openssh-server-5.3p1-81.el6.x86_64
aw-perl-Net-OpenSSH-0.53_02-1.noarch

 

Per OpenSSH, OpenSSH 5.1 or newer are not vulnerable to the X11UseLocalhost issue.  AMP 7.5.5 has OpenSSH 5.3.


Rob Gin
Senior QA Engineer - Network Services
Aruba Networks, a Hewlett Packard Enterprise Company
Frequent Contributor II

Re: Airwave Vulnerability Concerns

Spoiler
 

I updated to 7.5.5 earlier today and here is what I'm seeing? Am I missing somethign?

 

============================================

[root@mg-airwave mercury]# rpm -qa | grep -i openssh
openssh-server-4.3p2-41.el5.x86_64
openssh-clients-4.3p2-41.el5.x86_64
aw-perl-Net-OpenSSH-0.53_02-1.noarch
openssh-4.3p2-41.el5.x86_64

============================================

 

Network Engineer | Airhead | Titus 3:5

Re: Airwave Vulnerability Concerns

Here is mine...

 

[root@aw-1 mercury]# rpm -qa | grep -i openssh
openssh-clients-5.3p1-70.el6.x86_64
aw-perl-Net-OpenSSH-0.53_02-1.noarch
openssh-5.3p1-70.el6.x86_64
openssh-server-5.3p1-70.el6.x86_64

 

 

Odd that yours is not like that

Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Moderator

Re: Airwave Vulnerability Concerns

Looks like not all of your packages aren't getting upgraded.  Do you have the default install with CentOS?  Please send the output of:

 

# cat /etc/redhat-release

# cat /var/log/AMP-upgrade-version-history.log

 

We'll try to replicate the same in our lab.


Rob Gin
Senior QA Engineer - Network Services
Aruba Networks, a Hewlett Packard Enterprise Company
Frequent Contributor I

Re: Airwave Vulnerability Concerns

I'm betting that this is the difference between running an older version of the OS, CentOS 5.5, as opposed to the newer Airwave install on CentOS 6.2.

 

I'm currently running CentOS 5.5 with the same output as you:

 

rpm -qa | grep -i openssh
openssh-server-4.3p2-41.el5.x86_64
openssh-clients-4.3p2-41.el5.x86_64
aw-perl-Net-OpenSSH-0.53_02-1.noarch
openssh-4.3p2-41.el5.x86_64

 

You'll need to install the latest version of Airwave with CentOS 6.2 and migrate your DB.

If you're really concerned about it, just edit your IPTables to only allow local traffic to access your server.  You can still download updates this way and it protects your server from outside snooping.

Frequent Contributor II

Re: Airwave Vulnerability Concerns

Looks like you're right about the CenOS. I did the upgrade to 7.5.5. I don't recall reading anything about upgrading CentOS. Is there a document that explains all of this? What other reason would one have to upgrade CentOS?

 

===========================================================

[root@mg-airwave mercury]# cat /etc/redhat-release
CentOS release 5.5 (Final)


[root@mg-airwave mercury]# cat /var/log/AMP-upgrade-version-history.log
cat: /var/log/AMP-upgrade-version-history.log: No such file or directory
===========================================================

 

Network Engineer | Airhead | Titus 3:5
Moderator

Re: Airwave Vulnerability Concerns

The upgrade to CentOS 6.x was done for the newer packages that are pre-bundled into the OS. AirWave is typically mirrored to the latest CentOS available.  Some of the packaged helped increase performance, others address security issues.

 

Looks like your upgrade file isn't in the same location.  Do you recall the path of upgrades you took?  If not, try:

# locate AMP-upgrade-version-history.log

 

There doesn't seem to be a knowledge base article for the CentOS 6.2 upgrade, but it's similar to the CentOS4 to 5 upgrade process.  You upgrade to the latest version, take a backup of your AMP, pull the backup off server, reinstall with the latest ISO, then copy back the backup, and restore it.  Support can help guide you through this process if you have any problems.  The key is to make sure you grab a backup from /var/airwave-backup.


Rob Gin
Senior QA Engineer - Network Services
Aruba Networks, a Hewlett Packard Enterprise Company
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: