Security

Reply
Contributor I
Posts: 37
Registered: ‎06-17-2011

Heartbleed - CVE-2014-0160 Problem

[ Edited ]

We have tried to http://filippo.io/Heartbleed/ web page and found that we hit the valnurability.

 

Please help. We could not find any info on ARUBA.

 

Also, according to debian (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743883) all private keys should be changed immediately!

 

 

Sincerly,

 

Husnu Demir.

Network.

METU

MVP
Posts: 1,414
Registered: ‎11-30-2011

Re: CVE-2014-0160

good question, im currently wondering the same and would appriciate a reaction from Aruba.

 

of course best thing to do is open a support case, but still an announcement by Aruba would help to prevent everyone from doing that :)

 

btw: rdemir could you add Heartbleed to your subject, makes it easier for other to see it.

Contributor I
Posts: 37
Registered: ‎06-17-2011

Re: CVE-2014-0160

ın fact we urged aboutthe situation to our Aruba support for Turkey and they will look tomorrow. We tested and it shows vulnerable and 

 

show ver
Aruba Operating System Software.
ArubaOS (MODEL: Aruba6000), Version 6.3.1.4
Website: http://www.arubanetworks.com
Copyright (c) 2002-2014, Aruba Networks, Inc.
Compiled on 2014-03-18 at 14:06:13 PDT (build 42768) by p4build

ROM: System Bootstrap, Version CPBoot 1.2.0.0 (build 20527)
Built: 2009-01-20 18:56:10
Built by: p4build@re_client_20527


Switch uptime is 6 days 1 hours 39 minutes 44 seconds
Reboot Cause: Power Failure (Intent:cause:register ee:ee:0)
Supervisor Card
Processor XLR 732 (revision C4) with 1979M bytes of memory.
32K bytes of non-volatile configuration memory.
512M bytes of Supervisor Card System flash (model=CF 512MB).

 

 

MVP
Posts: 130
Registered: ‎06-11-2013

Re: CVE-2014-0160

It seems ClearPass and ArubaOS are impacted:

 

http://filippo.io/Heartbleed/#clearpass.arubademo.net


ACMX#255 | ACMP | ACCP | AWMP
www.securelink.nl
MVP
Posts: 1,414
Registered: ‎11-30-2011

Re: CVE-2014-0160

seems to be version dependent, got a 6.2.5 version which doesnt seem affected.

 

airwave 7.6.3 neither.

MVP
Posts: 130
Registered: ‎06-11-2013

Re: CVE-2014-0160

That test is ClearPass 6.2.5. We have tested with ArubaOS 6.3.1.4 and it seems to be vulnerable.

 

I'm wondering if FreeRADIUS within ClearPass is also vulnerable.


ACMX#255 | ACMP | ACCP | AWMP
www.securelink.nl
Frequent Contributor I
Posts: 82
Registered: ‎05-28-2010

Re: CVE-2014-0160

How do you test ArubaOS version?

 

Regards,

Tony Marques

MVP
Posts: 1,414
Registered: ‎11-30-2011

Re: CVE-2014-0160


tmarques wrote:

How do you test ArubaOS version?

 

Regards,

Tony Marques


what do you exactly mean? you can test it via the webinterface, that is the part that probably uses OpenSSL.

 

if you webinterface isnt reachable via the internet you already excluded a big attack surface. within your own network you might be able to restrict access only from a management subnet.

 

to test internal you can use the PoC python script or use this openssl command: openssl s_client -connect google.com:443 -tlsextdebug and look for the server extension heartbeat string in the begin.

MVP
Posts: 130
Registered: ‎06-11-2013

Re: CVE-2014-0160

[ Edited ]

You will probably be vulnerable when:

 

* You are using a captive portal which is running on the controller and/or ClearPass

* You are using the controller for VIA

 


ACMX#255 | ACMP | ACCP | AWMP
www.securelink.nl
Contributor I
Posts: 36
Registered: ‎10-27-2007

Re: Heartbleed - CVE-2014-0160 Problem

[ Edited ]

 

Aruba controllers are also impacted.

 

One POC run against a 7220 controllers running 6.3.1.4 returned back what looks to be part of an XML configuration file and at least CA information for the pub/priv key combination that ships as the default cert on the controllers. 

 

I went into our Airwave 7.7.10 system and ran "yum update" which installed a patched openssl via CentOS upstream and the POC fails against it.

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: