Security

Reply
Moderator

Security/vulnerability advisories

Please subscribe to this thread if you would like to be notified of Aruba security or vulnerability advisories.  Currently we email these to anyone registered on support.arubanetworks.com, but some people do not have support accounts so we will be providing this thread as an alternative.

 

-Jon

---
Jon Green, ACMX, CISSP
Security Guy
Moderator

Re: Security/vulnerability advisories

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Advisory Number 07032014

CVE-2014-4013 - SQL Injection vulnerability in ClearPass Policy Manager
CVE-2014-4031 - Credential Disclosure vulnerability in ClearPass Policy Manager


TITLE
 
SQL Injection and Credential Disclosure Vulnerability in Aruba Networks ClearPass Policy Manager 
 

SUMMARY
 
SQL Injection and Credential Disclosure vulnerabilities have been discovered in
Aruba Networks ClearPass Policy Manager. This advisory describes ClearPass' exposure to these 
vulnerabilities.


AFFECTED VERSIONS
 
- -- ClearPass 5.X, 6.0.X, 6.1.X, 6.2.X, 6.3.X
 

DETAILS
 
An attacker with access to ClearPass Policy Manager's web interface can inject SQL commands
using a carefully crafted request. In addition, such an attacker can force the disclosure of 
credentials used to access the ClearPass Policy Manager database(s).  The attacker must
have valid credentials to access ClearPass Policy Manager, although an administrator-level
login is not necessary.

 
DISCOVERY

These vulnerabilities were discovered by Nate Roberts from Wipfli LLP in June, 2014.
Aruba Networks would like to thank Nate for his assistance.


IMPACT

The attacker can discover credentials used to access ClearPass Policy Manager, as well as 
discover additional information about the system such as the version number of ClearPass' 
database engine. 

Aruba Networks participates in the Common Vulnerability Scoring System (CVSS).
This rating system is a vendor agnostic, industry open standard designed to 
convey vulnerability severity and help determine urgency and priority of 
response. 

CVE-2014-4013: CVSS v2 Base Score: 4.9 (MEDIUM) (AV:A/AC:M/Au:S/C:P/I:P/A:P) 
CVE-2014-4031: CVSS v2 Base Score: 5.5 (MEDIUM) (AV:A/AC:H/Au:S/C:P/I:P/A:C) 


MITIGATION
 
Aruba Networks recommends that all customers use access control methods such 
as network-level ACLs to restrict access to the ClearPass Policy Manager UI. 
If using ClearPass 6.1.0 and above, Aruba recommends that customers use 
Access Control options available within the ClearPass administration interface 
to permit access to ClearPass Policy Manager from secure network locations only.
 
 
SOLUTION

Aruba Networks recommends that all customers running either of the below 6.1.X 
or 6.2.X versions apply the corresponding Security Patch released July 2014, 
as soon as practical.

	- ClearPass 6.1.4.55458, 6.1.4.61696, or 
	- ClearPass 6.2.6.62196.

Customers running either of the below 6.3.X versions apply the 6.3.4 
(Cumulative Patch 4 – released July 2014), as soon as practical.

	- ClearPass 6.3.0.60537, or 6.3.0.60730 or 6.3.0.61712, or 
	- ClearPass 6.3.1.62009, or
	- ClearPass 6.3.2.63239, and 
	- ClearPass 6.3.3.63748 

Customers running ClearPass versions prior to 6.1 are urged to upgrade to 
ClearPass Policy Manager 6.1.4 as soon as practical.

+----------------------------------------------------

OBTAINING FIXED SOFTWARE

Aruba customers can obtain software updates on the support website:
	http://support.arubanetworks.com


Aruba Support contacts are as follows:

	1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)
	
	+1-408-754-1200 (toll call from anywhere in the world)

	The full contact list is at:
	http://www.arubanetworks.com/support-services/support-program/contact-support/

	e-mail: support(at)arubanetworks.com

Please do not contact "sirt(at)arubanetworks.com" for software upgrades.


STATUS OF THIS NOTICE: Preliminary

Although Aruba Networks cannot guarantee the accuracy of all statements
in this advisory, all of the facts have been checked to the best of our
ability. Aruba Networks does not anticipate issuing updated versions of
this advisory unless there is some material change in the facts. Should
there be a significant change in the facts, Aruba Networks may update
this advisory.

A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an uncontrolled
copy, and may lack important information or contain factual errors.


DISTRIBUTION OF THIS ANNOUNCEMENT

This advisory will be posted on Aruba's website at:
http://www.arubanetworks.com/support/alerts/aid-07032014.txt


Future updates of this advisory, if any, will be placed on Aruba's worldwide
website, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
above URL for any updates.


REVISION HISTORY
      Revision 1.0 / 07-03-2014 / Initial release


ARUBA SIRT SECURITY PROCEDURES

Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at

http://www.arubanetworks.com/support-services/security-bulletins/
   
  
For reporting *NEW* Aruba Networks security issues, email can be sent to
sirt(at)arubanetworks.com. For sensitive information we encourage the use of 
PGP encryption. Our public keys can be found at 

http://www.arubanetworks.com/support-services/security-bulletins/


(c) Copyright 2014 by Aruba Networks, Inc.
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBCAAGBQJTsqwlAAoJEJj+CcpFhYbZY34IALflVWv5ANyMF5lmk5L/GvXf
dIGtFdZeUYTqO7fB2w412RQdClRM6jxAN1oUpVmdoxpGNjgvyKI8e/+LQMLveHQN
nK2eoBQGohWSQjHxbNf91KGTOmmyQu5ldSdSu6l8SaSYLzVBsWIg1HdfCH2q+IE2
TUHWNSBDikTaK0vgNVD2eLWF2rknJJImdg9jhSaOrmrTGMbNZucib2VdEwJ0ezPy
SfjhlGN+DjQQQ6UoMXP5GOYDp2INwm5ZpWHH/7Qe5Gyqoiq/dl0OD0gGFOjfNr2t
UyaDkGKEXMhgGOkA/rty2gmrCpOMDCaaz6ejA25GphPs6sFuYayh30gIHY1SFT8=
=jOvo
-----END PGP SIGNATURE-----
---
Jon Green, ACMX, CISSP
Security Guy
Moderator

OpenSSL Multiple Vulnerabilities (August 2014)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Advisory Number 08182014
CVE-2014-3511


TITLE

OpenSSL Multiple Vulnerabilities (August 2014)

SUMMARY

On August 6, 2014, the OpenSSL Foundation announced multiple vulnerabilities in OpenSSL
through the advisory at https://www.openssl.org/news/secadv_20140806.txt. A number of
Aruba Networks products make use of OpenSSL. This advisory has been created to describe
Aruba's exposure to these vulnerabilities.


AFFECTED PRODUCTS
Information leak in pretty printing functions (CVE-2014-3508)
- No Aruba products affected

Crash with SRP ciphersuite in Server Hello message (CVE-2014-5139)
- No Aruba products affected

Race condition in ssl_parse_serverhello_tlsext (CVE-2014-3509)
- No Aruba products affected

Double Free when processing DTLS packets (CVE-2014-3505)
- No Aruba products affected

DTLS memory exhaustion (CVE-2014-3506)
- No Aruba products affected

DTLS memory leak from zero-length fragments (CVE-2014-3507)
- No Aruba products affected

OpenSSL DTLS anonymous EC(DH) denial of service (CVE-2014-3510)
- No Aruba products affected

OpenSSL TLS protocol downgrade attack (CVE-2014-3511)
- Multiple Aruba products impacted. See below for further details.

SRP buffer overrun (CVE-2014-3512)
- No Aruba products affected

 

AFFECTED VERSIONS (for CVE-2014-3511)
- ArubaOS (6.3.x prior to 6.3.1.11, 6.4.x prior to 6.4.2.1 - including FIPS versions)
- ClearPass (6.3.x prior to 6.3.5, 6.4.x prior to 6.4.1)
- AirWave (7.7.x prior to 7.7.13, 8.0.x prior to 8.0.4)

NOT AFFECTED
- ArubaOS 6.2.x, 6.1.x, 5.x, and 3.4.x
- ArubaOS 7.x
- Aruba Central (already patched)
- Aruba Instant (IAP)
- Aruba VIA
- MeshOS


DETAILS

A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
TLS 1.0 instead of higher protocol versions when the ClientHello message is
badly fragmented. This allows a man-in-the-middle attacker to force a
downgrade to TLS 1.0 even if both the server and the client support a higher
protocol version, by modifying the client's TLS records.


DISCOVERY

These vulnerabilities were announced publicly by the OpenSSL Foundation.

 

IMPACT

OpenSSL is used in a variety of ways in Aruba products, including:
* HTTPS communications via the Administrative Web GUI
* HTTPS communications via Captive Portal
* 802.1X
* Secure LDAP communication
* Secure communication with some third party APIs
* VIA profile download

The Aruba products listed above include support for TLS 1.2. An attacker successfully
carrying out the attack described by CVE-2014-3511 could cause a TLS connection to fall
back to TLS 1.0. The impact would be that stronger ciphersuites only available in TLS 1.2,
such as ciphersuites that make use of SHA256/SHA384, would not be available, and instead
the connection would make use of SHA1 for integrity protection. Note that while SHA1
is expected to become deprecated in the future, it is not today considered particularly
weak.

Aruba Networks participates in the Common Vulnerability Scoring System (CVSS). This
rating system is a vendor agnostic, industry open standard designed to convey
vulnerability severity and help determine urgency and priority of response. The CVSS score
for this release is:

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N)

 

MITIGATION

Other than customers using Suite B cryptography, most Aruba customers do not depend on
TLS 1.2 being available. If the use of TLS 1.2 forms a critical layer of security in
your environment, Aruba recommends that TLS communication be made available only to
trusted network segments. Note that if Suite B cryptography is in use only for
IPsec communication, this vulnerability has no impact.

Otherwise, given the low security impact of this vulnerability, Aruba does not recommend
any additional mitigation steps. Upgrade to the latest supported version of software
during your next regularly scheduled maintenance window.



SOLUTION

Aruba Networks plans to publish patch releases for the affected products. We
recommend upgrading to these releases during your next regularly scheduled
maintenance window.

ArubaOS 6.3.1.11 (estimated release date 09/19/2014)
ArubaOS 6.4.2.1 (estimated release date 09/10/2014)
ClearPass 6.3.5 (estimated release date 09/08/2014)
ClearPass 6.4.1 (estimated release date 09/30/2014)
AirWave 7.7.13 (estimated release date 09/02/2014)
AirWave 8.0.4 (estimated release date 09/02/2014)
Note: If upgrading your AirWave Server to either version 7.7.13 or 8.0.4 is not
feasible, you may instead update OpenSSL manually using 'yum'.


+----------------------------------------------------

OBTAINING FIXED FIRMWARE

Aruba customers can obtain the firmware on the support website:
http://support.arubanetworks.com


Aruba Support contacts are as follows:

1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)

+1-408-754-1200 (toll call from anywhere in the world)

The full contact list is at:
http://www.arubanetworks.com/support-services/support-program/contact-support/

e-mail: support(at)arubanetworks.com

Please do not contact "sirt(at)arubanetworks.com" for software upgrades.


STATUS OF THIS NOTICE: Initial

Although Aruba Networks cannot guarantee the accuracy of all statements
in this advisory, all of the facts have been checked to the best of our
ability. Aruba Networks does not anticipate issuing updated versions of
this advisory unless there is some material change in the facts. Should
there be a significant change in the facts, Aruba Networks may update
this advisory.

A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an uncontrolled
copy, and may lack important information or contain factual errors.


DISTRIBUTION OF THIS ANNOUNCEMENT

This advisory will be posted on Aruba's website at:
http://www.arubanetworks.com/support/alerts/aid-08182014.txt


Future updates of this advisory, if any, will be placed on Aruba's worldwide
website, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
above URL for any updates.


REVISION HISTORY
Revision 1.0 / 08-19-2014 / Initial release


ARUBA SIRT SECURITY PROCEDURES

Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at

http://www.arubanetworks.com/support-services/security-bulletins/


For reporting *NEW* Aruba Networks security issues, email can be sent to
sirt(at)arubanetworks.com. For sensitive information we encourage the use of
PGP encryption. Our public keys can be found at

http://www.arubanetworks.com/support-services/security-bulletins/


(c) Copyright 2014 by Aruba Networks, Inc.
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBCAAGBQJT89/PAAoJEJj+CcpFhYbZHZwH+gO3QbEV6oOsjP08MeNDeq0J
LDU9JhcX2pV2XKgIQOC1HitlPR4tbM7hfRqXAe5zSmoIRUGuKn7aMITgx8ZuUfQ7
ywnz+lIri0zh2vwTnwFWQlKIHEDLynfaL1T/T3ur0+aVT7AhFFpLaS6SRvUGXUEw
MgoF1MTOxRpwkt5qx5B13LWsCj2A9x81t5KqiUBQt4U1TGBdLfwv4IfxDxMpIQt4
/n/BKWozbkySbWO1Y9XRwgKB1Rpgibc/XWHC08ZNBow8/yneJd4/wr6D50KvQadx
XE5mT8OmtV8078suDMZ9E3EG+Ft/8OudkFgxut3pInqnI4Z9nb9uPOAshiKfVls=
=AHmx
-----END PGP SIGNATURE-----

---
Jon Green, ACMX, CISSP
Security Guy
Moderator

Re: Security/vulnerability advisories

The following is a revision to last week's advisory. The update should be posted to the public website shortly.

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Advisory Number 09252014
CVE-2014-6271
CVE-2014-7169
CVE-2014-6277
CVE-2014-6278


TITLE
 
GNU bash Shell Multiple Vulnerabilities ("Shellshock")
 

SUMMARY
 
On September 24, 2014, a public announcement was made regarding a vulnerability in the GNU
'bash' shell that could permit remote code execution.  This vulnerability was assigned
CVE-2014-6271 and fixes were published.  The fix was incomplete, and a second vulnerability
(CVE-2014-7169) was published.  Over the following days, additional vulnerabilities
(CVE-2014-6277 and CVE-2014-6278) were also made public. 

Some Aruba products contain the GNU bash shell, and this advisory has been created 
to describe Aruba's exposure to these vulnerabilities.


AFFECTED PRODUCTS
	- AirWave (All versions prior to 7.7.13, 8.0.x prior to 8.0.4.1)
	- Clearpass Policy Manager (All versions prior to 6.3.6, 6.4.x prior to 6.4.1)
	- ALE (all versions prior to 1.2.3)
	- Amigopod (All versions)


NOT AFFECTED
	- ArubaOS (all versions)
	- Aruba Central (already patched)
	- Aruba Instant (IAP)
	- Aruba VIA
	- MeshOS


DETAILS

Bash supports exporting not just shell variables, but also shell
functions to other bash instances, via the process environment to
(indirect) child processes.  Current bash versions use an environment
variable named by the function name, and a function definition
starting with “() {” in the variable value to propagate function
definitions through the environment.  The vulnerability occurs because
bash does not stop after processing the function definition; it
continues to parse and execute shell commands following the function
definition.  If bash is used as an interpreter for network-accessible
scripts, an attacker could exploit the vulnerability to execute
arbitrary code.


 
DISCOVERY

These vulnerabilities were announced publicly on September 24, 2014.



IMPACT

Aruba confirms that affected versions of 'bash' are included in the 
Linux distributions used by AirWave, Amigopod, ALE, and ClearPass.  
However, current testing and analysis indicates that the vulnerability
is NOT exploitable over the network by an unauthenticated user.

It is still possible that this vulnerability could be used by an 
authenticated user to conduct a privilege escalation attack.  Aruba 
has not yet been able to prove or disprove this vector, given the 
complexity of the software. Aruba will post revisions of this advisory 
if new information comes to light indicating a more serious impact.

Aruba Networks participates in the Common Vulnerability Scoring System (CVSS). This 
rating system is a vendor agnostic, industry open standard designed to convey 
vulnerability severity and help determine urgency and priority of response. The CVSS score
for this release is:

CVSS V2 Base Score: 3.6 (LOW) (AV:N/AC:H/Au:S/C:P/I:P/A:N)


MITIGATION

Aruba recommends that wherever possible, affected products should not be
exposed to untrusted networks such as the public Internet.  Apply patches
as soon as they become available.


 
SOLUTION

As of this writing (September 29) the situation is still fluid; patches for bash have
been published by RedHat and others, but it is unclear if those patches fully fix
all problems. Aruba Networks has published patch releases for some affected 
products and will continue to publish patches as new information becomes available.  
The following versions contain fixes:

ClearPass 6.2.6 patch - scheduled release date October 1, 2014
ClearPass 6.3.5 patch - scheduled release date October 1, 2014
ClearPass 6.3.6
ClearPass 6.4.1 - scheduled release date September 30, 2014
ALE 1.2.3 - scheduled release date October 1, 2014
AirWave 7.7.13 - released September 26, 2014
AirWave 8.0.4.1 - released September 26, 2014
  Note:  If upgrading your AirWave server to either version 7.7.13 or 8.0.4.1 is not 
         feasible,  you may instead update bash manually using 'yum'. The
	 same procedure is available for ALE.

Amigopod has reached the "End of Development" milestone and will not be updated.
Customers should update Amigopod installations to ClearPass Guest to address this
and any future security issues.

+----------------------------------------------------

OBTAINING FIXED FIRMWARE

Aruba customers can obtain the firmware on the support website:
	http://support.arubanetworks.com


Aruba Support contacts are as follows:

	1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)
	
	+1-408-754-1200 (toll call from anywhere in the world)

	The full contact list is at:
	http://www.arubanetworks.com/support-services/support-program/contact-support/

	e-mail: support(at)arubanetworks.com

Please do not contact "sirt(at)arubanetworks.com" for software upgrades.


STATUS OF THIS NOTICE: Initial

Although Aruba Networks cannot guarantee the accuracy of all statements
in this advisory, all of the facts have been checked to the best of our
ability. Aruba Networks does not anticipate issuing updated versions of
this advisory unless there is some material change in the facts. Should
there be a significant change in the facts, Aruba Networks may update
this advisory.

A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an uncontrolled
copy, and may lack important information or contain factual errors.


DISTRIBUTION OF THIS ANNOUNCEMENT

This advisory will be posted on Aruba's website at:
http://www.arubanetworks.com/support/alerts/aid-09252014.txt


Future updates of this advisory, if any, will be placed on Aruba's worldwide
website, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
above URL for any updates.


REVISION HISTORY
      Revision 1.0 / 09-25-2014 / Initial release
      Revision 1.1 / 09-29-2014 / Update.  New IMPACT section, updated SOLUTION.
				  Severity downgraded to LOW.


ARUBA SIRT SECURITY PROCEDURES

Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at

http://www.arubanetworks.com/support-services/security-bulletins/
   
  
For reporting *NEW* Aruba Networks security issues, email can be sent to
sirt(at)arubanetworks.com. For sensitive information we encourage the use of 
PGP encryption. Our public keys can be found at 

http://www.arubanetworks.com/support-services/security-bulletins/


(c) Copyright 2014 by Aruba Networks, Inc.
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBCAAGBQJUKfz/AAoJEJj+CcpFhYbZwd8H/1+Exfhvvj6G7E+eqLUa7TnZ
6JnsCoxf+ZK73hi8gP1itkYQ0dVztHlTUmmPcV1S6IWYTDcqxZsssd10IGq6Dl4M
3oLiCSIAsZnjBxq69zehfkZVS2T4XLa0ZCHlpODyvSBtfNp0amC/w7Y2yTPCXe7P
rubX9SptSykbab4vb8SUKpUPN9asvbaMs9/MGJU08R+9P5spqY5J3OWK4o+D01xY
uo4SZ7GM2n+N6ahqBXk2QAC1OO3glC6RHwf7lK7XYVB1AEQ8ZPPvOa0scR9kSC/N
vRSFwKMd/PgoAcU/2w6JvG4V1Csw9TqNlxx8GiKXCTMM+Faa17+iiIK3PiB5Kgc=
=p8z4
-----END PGP SIGNATURE-----

 

---
Jon Green, ACMX, CISSP
Security Guy
Moderator

ArubaOS Authentication Bypass Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Advisory Number 10072014
CVE-2014-7299


TITLE
 
ArubaOS Authentication Bypass Vulnerability
 

SUMMARY
 
A vulnerability has been found in some ArubaOS versions that 
may permit unauthenticated access to administrative interfaces 
of Aruba controllers.


AFFECTED PRODUCTS
	- ArubaOS 6.3.1.11
	- ArubaOS 6.3.1.11-FIPS
	- ArubaOS 6.4.2.1
	- ArubaOS 6.4.2.1-FIPS


DETAILS

It may be possible to obtain limited administrative privileges
without valid credentials. The vulnerability affects access over
SSH; access through WebUI and the serial port is not affected.
The vulnerability does not provide "root" level access.


DISCOVERY

This vulnerability was discovered by Brian Julin of Clark University.
Aruba would like to thank Mr. Julin for his assistance in
discovering and reporting this problem.


IMPACT

An attacker may be able to login to an affected mobility controller
and conduct the following type of activities:
 - Issue 'show' commands
 - Obtain encrypted password hashes for administrative accounts
 - View the running configuration
 - Add users to the internal user database with 'guest' rights

CVSS V2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)



MITIGATION

Upgrade your controller to ArubaOS 6.3.1.12 or 6.4.2.2 or as soon 
as possible. As an alternative, downgrading to 6.3.1.10 or 6.4.2.0 
will also eliminate the vulnerability.

If upgrading/downgrading is not an option, you may block SSH access
from untrusted networks, or block it completely.  From the CLI:

(config) #firewall cp
(config-fw-cp) #ipv4 permit 10.100.1.0 255.255.255.0 proto ssh
(config-fw-cp) #ipv4 deny any proto ssh

The above will permit SSH only from subnet 10.100.1.0.  You may
also permit SSH only from specific hosts:

(config) #firewall cp
(config-fw-cp) #ipv4 permit host 10.100.1.12 proto ssh
(config-fw-cp) #ipv4 deny any proto ssh

The above will permit SSH only from host 10.100.1.12.  Finally,
you may block ALL access through SSH:

(config) #firewall cp
(config-fw-cp) #ipv4 deny any proto ssh

- From the WebUI, navigate to Configuration->Advanced->Stateful Firewall->ACL White List
where you may add equivalent rules using the "Add" button.

If your controller operates in an IPv6 environment, you should also block
access through IPV6.
 

SOLUTION

Aruba has made ArubaOS 6.3.1.12 and 6.4.2.2 available for download.  
The vulnerability is fixed in these versions.

Because encrypted password hashes may have been exposed, we recommend
that administrative passwords be changed after software is updated.


+----------------------------------------------------

OBTAINING FIXED FIRMWARE

Aruba customers can obtain the firmware on the support website:
	http://support.arubanetworks.com


Aruba Support contacts are as follows:

	1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)
	
	+1-408-754-1200 (toll call from anywhere in the world)

	The full contact list is at:
	http://www.arubanetworks.com/support-services/support-program/contact-support/

	e-mail: support(at)arubanetworks.com

Please do not contact "sirt(at)arubanetworks.com" for software upgrades.


STATUS OF THIS NOTICE: Initial

Although Aruba Networks cannot guarantee the accuracy of all statements
in this advisory, all of the facts have been checked to the best of our
ability. Aruba Networks does not anticipate issuing updated versions of
this advisory unless there is some material change in the facts. Should
there be a significant change in the facts, Aruba Networks may update
this advisory.

A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an uncontrolled
copy, and may lack important information or contain factual errors.


DISTRIBUTION OF THIS ANNOUNCEMENT

This advisory will be posted on Aruba's website at:
http://www.arubanetworks.com/support/alerts/aid-10072014.txt


Future updates of this advisory, if any, will be placed on Aruba's worldwide
website, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
above URL for any updates.


REVISION HISTORY
      Revision 1.0 / 10-07-2014 / Initial release


ARUBA SIRT SECURITY PROCEDURES

Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at

http://www.arubanetworks.com/support-services/security-bulletins/
   
  
For reporting *NEW* Aruba Networks security issues, email can be sent to
sirt(at)arubanetworks.com. For sensitive information we encourage the use of 
PGP encryption. Our public keys can be found at 

http://www.arubanetworks.com/support-services/security-bulletins/


(c) Copyright 2014 by Aruba Networks, Inc.
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBCAAGBQJULcxHAAoJEJj+CcpFhYbZ1EcH/0+mjDAXOcSaGczLF+PPPinn
+xSPx0QfoAzt6hji+yRDP5AwFGts/qfue9WhSdY3wNqypDQoVdz7EvnLFemkGR/g
N2H7GgiEwnFbY2liJoed8+KQin1PLFl1WofaRHroxm7iOGH1xzwBsAmoztTpv2j0
sgCJx/Iur+47qaP7hmINWAtDXUWoO9NWVaZM7g0xyDxEAJqACJI4TgMXfzOElRjQ
vyNh3ybeiWgkCb0dl9UUR/Q0J/fRZW7V6sZz389UGQ0PiwcFYfV+GGJEHo/wEbBN
tIR2AZnLf+CGkwU0Gn8sLfuODUaNzhYHOGEcTCAgUlfQrRw8tTFzthbkCvydlu0=
=yklw
-----END PGP SIGNATURE-----

 

---
Jon Green, ACMX, CISSP
Security Guy
Moderator

SSL 3.0 "POODLE" Attack

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Advisory Number 10142014
CVE­2014­3566


TITLE
 
SSL 3.0 "POODLE" Attack
 

SUMMARY
 
On October 14, 2014, the Google Security Team announced a practical attack
against the SSL 3.0 protocol that could allow an attacker to recover encrypted 
plaintext from an HTTPS session.  This advisory describes Aruba's exposure 
to the attack.


AFFECTED PRODUCTS
	- ArubaOS (all versions)
	- ClearPass Policy Manager (all versions)
	- AirWave (all versions)
	- Aruba Central
	- Aruba Instant (all versions)


NOT AFFECTED
	- ArubaOS operating in FIPS mode
	- ClearPass Policy Manager operating in FIPS mode


DETAILS

Refer to https://www.openssl.org/~bodo/ssl-poodle.pdf for full details.

 
MITIGATION

 All Products
 ============
 All modern browsers support TLSv1 at a minimum, and most also support
 TLSv1.1 and TLSv1.2. We recommend disabling SSLv3 support in the
 browser.  As long as one side of the connection refuses to support
 SSLv3, the attack will be unsuccessful.

 ArubaOS
 =======
 ArubaOS when operating in FIPS mode does not support SSLv3.  For non-FIPS
 versions of ArubaOS, HTTPS protocols are configurable.  From the command
 line, the following command will enable only TLSv1:
    (config) #web-server ssl-protocol tlsv1

 
SOLUTION
 
Aruba Networks plans to publish patch releases for the affected products.  We 
recommend upgrading to these releases during your next regularly scheduled 
maintenance window.  Because this information is preliminary, the exact
method that will be used to mitigate the attack is not yet known.  This 
advisory will be updated once additional information becomes available.




+----------------------------------------------------

OBTAINING FIXED FIRMWARE

Aruba customers can obtain the firmware on the support website:
	http://support.arubanetworks.com


Aruba Support contacts are as follows:

	1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)
	
	+1-408-754-1200 (toll call from anywhere in the world)

	The full contact list is at:
	http://www.arubanetworks.com/support-services/support-program/contact-support/

	e-mail: support(at)arubanetworks.com

Please do not contact "sirt(at)arubanetworks.com" for software upgrades.


STATUS OF THIS NOTICE: Initial

Although Aruba Networks cannot guarantee the accuracy of all statements
in this advisory, all of the facts have been checked to the best of our
ability. Aruba Networks does not anticipate issuing updated versions of
this advisory unless there is some material change in the facts. Should
there be a significant change in the facts, Aruba Networks may update
this advisory.

A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an uncontrolled
copy, and may lack important information or contain factual errors.


DISTRIBUTION OF THIS ANNOUNCEMENT

This advisory will be posted on Aruba's website at:
http://www.arubanetworks.com/support/alerts/aid-10142014.txt


Future updates of this advisory, if any, will be placed on Aruba's worldwide
website, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
above URL for any updates.


REVISION HISTORY
      Revision 1.0 / 10-14-2014 / Initial release


ARUBA SIRT SECURITY PROCEDURES

Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at

http://www.arubanetworks.com/support-services/security-bulletins/
   
  
For reporting *NEW* Aruba Networks security issues, email can be sent to
sirt(at)arubanetworks.com. For sensitive information we encourage the use of 
PGP encryption. Our public keys can be found at 

http://www.arubanetworks.com/support-services/security-bulletins/


(c) Copyright 2014 by Aruba Networks, Inc.
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBCAAGBQJUPb08AAoJEJj+CcpFhYbZx04H/jVbMW8WnCZdlY70bGWLOEMo
UJjmk+HP4YgaHn25RqaEk/y24AQDq1ETrsYpRE/w3F0HyUmJbU/XR16ajB22hlT4
BQnwv4b9o0Yy2PZos3V3dcwwlirSOPp8pCTS5Zw4pBPpWLlL+U8psqsrWt5YLlPa
f9osP3grUxhpA7BJ+1HcN5pE906AkW7jEGLxTKyZMnD6M4AnfKwB7YEQHsXflkt5
1GGHp0HKhg5tLSrCbD+XZN4bliFEK17DL68WZbOFJrzLTT2VVno8fi2jnA3stNvm
B8tO0wI3HG1H1gEJNbcN4Z1N1KQG4/NYbE4++8yD7wBOW19enUlLasFuEoY5oUg=
=wo6G
-----END PGP SIGNATURE-----

 

---
Jon Green, ACMX, CISSP
Security Guy
Moderator

Aruba ClearPass Multiple vulnerabilities (October 2014)

A new advisory has been posted at http://www.arubanetworks.com/support/alerts/aid-10282014.txt regarding multiple vulnerabilities in ClearPass.

---
Jon Green, ACMX, CISSP
Security Guy
Moderator

AirWave SQL Injection and CPPM Privilege Escalation (CVE-2014-8367, 2014-8368)

A new advisory has been posted at http://www.arubanetworks.com/support/alerts/aid-11192014.txt which covers two vulnerabilities - one in AirWave and one in ClearPass.

---
Jon Green, ACMX, CISSP
Security Guy
Moderator

Aruba Instant (IAP) Wireless DoS Attack (CVE-2015-1348)

A new advisory has been posted at http://www.arubanetworks.com/support/alerts/aruba-psa-2015-001.txt which covers a DoS vulnerability in Aruba Instant.

---
Jon Green, ACMX, CISSP
Security Guy
Moderator

RAP Command Injection Vulnerability

A new security advisory has been posted at http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2015-004.txt

 

---
Jon Green, ACMX, CISSP
Security Guy
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: