Security

Reply
Contributor I

Heartbleed - CVE-2014-0160 Problem

We have tried to http://filippo.io/Heartbleed/ web page and found that we hit the valnurability.

 

Please help. We could not find any info on ARUBA.

 

Also, according to debian (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743883) all private keys should be changed immediately!

 

 

Sincerly,

 

Husnu Demir.

Network.

METU

Re: CVE-2014-0160

good question, im currently wondering the same and would appriciate a reaction from Aruba.

 

of course best thing to do is open a support case, but still an announcement by Aruba would help to prevent everyone from doing that :)

 

btw: rdemir could you add Heartbleed to your subject, makes it easier for other to see it.

Contributor I

Re: CVE-2014-0160

ın fact we urged aboutthe situation to our Aruba support for Turkey and they will look tomorrow. We tested and it shows vulnerable and 

 

show ver
Aruba Operating System Software.
ArubaOS (MODEL: Aruba6000), Version 6.3.1.4
Website: http://www.arubanetworks.com
Copyright (c) 2002-2014, Aruba Networks, Inc.
Compiled on 2014-03-18 at 14:06:13 PDT (build 42768) by p4build

ROM: System Bootstrap, Version CPBoot 1.2.0.0 (build 20527)
Built: 2009-01-20 18:56:10
Built by: p4build@re_client_20527


Switch uptime is 6 days 1 hours 39 minutes 44 seconds
Reboot Cause: Power Failure (Intent:cause:register ee:ee:0)
Supervisor Card
Processor XLR 732 (revision C4) with 1979M bytes of memory.
32K bytes of non-volatile configuration memory.
512M bytes of Supervisor Card System flash (model=CF 512MB).

 

 

Re: CVE-2014-0160

It seems ClearPass and ArubaOS are impacted:

 

http://filippo.io/Heartbleed/#clearpass.arubademo.net


ACMX#255 | ACMP | ACCP | AWMP
www.securelink.nl

Re: CVE-2014-0160

seems to be version dependent, got a 6.2.5 version which doesnt seem affected.

 

airwave 7.6.3 neither.

Re: CVE-2014-0160

That test is ClearPass 6.2.5. We have tested with ArubaOS 6.3.1.4 and it seems to be vulnerable.

 

I'm wondering if FreeRADIUS within ClearPass is also vulnerable.


ACMX#255 | ACMP | ACCP | AWMP
www.securelink.nl
Frequent Contributor I

Re: CVE-2014-0160

How do you test ArubaOS version?

 

Regards,

Tony Marques

Re: CVE-2014-0160


tmarques wrote:

How do you test ArubaOS version?

 

Regards,

Tony Marques


what do you exactly mean? you can test it via the webinterface, that is the part that probably uses OpenSSL.

 

if you webinterface isnt reachable via the internet you already excluded a big attack surface. within your own network you might be able to restrict access only from a management subnet.

 

to test internal you can use the PoC python script or use this openssl command: openssl s_client -connect google.com:443 -tlsextdebug and look for the server extension heartbeat string in the begin.

Re: CVE-2014-0160

You will probably be vulnerable when:

 

* You are using a captive portal which is running on the controller and/or ClearPass

* You are using the controller for VIA

 


ACMX#255 | ACMP | ACCP | AWMP
www.securelink.nl
Contributor I

Re: Heartbleed - CVE-2014-0160 Problem

 

Aruba controllers are also impacted.

 

One POC run against a 7220 controllers running 6.3.1.4 returned back what looks to be part of an XML configuration file and at least CA information for the pub/priv key combination that ships as the default cert on the controllers. 

 

I went into our Airwave 7.7.10 system and ran "yum update" which installed a patched openssl via CentOS upstream and the POC fails against it.

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: