-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Advisory Number 08182014
CVE-2014-3511


TITLE
 
OpenSSL Multiple Vulnerabilities (August 2014)
 

SUMMARY
 
On August 6, 2014, the OpenSSL Foundation announced multiple vulnerabilities in OpenSSL
through the advisory at https://www.openssl.org/news/secadv_20140806.txt.  A number of
Aruba Networks products make use of OpenSSL.  This advisory has been created to describe
Aruba's exposure to these vulnerabilities.


AFFECTED PRODUCTS
	Information leak in pretty printing functions (CVE-2014-3508)
		- No Aruba products affected

	Crash with SRP ciphersuite in Server Hello message (CVE-2014-5139)
		- No Aruba products affected

	Race condition in ssl_parse_serverhello_tlsext (CVE-2014-3509)
		- No Aruba products affected

	Double Free when processing DTLS packets (CVE-2014-3505)
		- No Aruba products affected

	DTLS memory exhaustion (CVE-2014-3506)
		- No Aruba products affected

	DTLS memory leak from zero-length fragments (CVE-2014-3507)
		- No Aruba products affected

	OpenSSL DTLS anonymous EC(DH) denial of service (CVE-2014-3510)
		- No Aruba products affected

	OpenSSL TLS protocol downgrade attack (CVE-2014-3511)
		- Multiple Aruba products impacted.  See below for further details.

	SRP buffer overrun (CVE-2014-3512)
		- No Aruba products affected



AFFECTED VERSIONS (for CVE-2014-3511)
	- ArubaOS (6.3.x prior to 6.3.1.11, 6.4.x prior to 6.4.2.1 - including FIPS versions)
	- ClearPass (6.3.x prior to 6.3.5, 6.4.x prior to 6.4.1)
	- AirWave (7.7.x prior to 7.7.13, 8.0.x prior to 8.0.4)

NOT AFFECTED
	- ArubaOS 6.2.x, 6.1.x, 5.x, and 3.4.x
	- ArubaOS 7.x
	- Aruba Central (already patched)
	- Aruba Instant (IAP)
	- Aruba VIA
	- MeshOS


DETAILS

A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
TLS 1.0 instead of higher protocol versions when the ClientHello message is
badly fragmented. This allows a man-in-the-middle attacker to force a
downgrade to TLS 1.0 even if both the server and the client support a higher
protocol version, by modifying the client's TLS records.

 
DISCOVERY

These vulnerabilities were announced publicly by the OpenSSL Foundation.



IMPACT

OpenSSL is used in a variety of ways in Aruba products, including:
* HTTPS communications via the Administrative Web GUI
* HTTPS communications via Captive Portal
* 802.1X
* Secure LDAP communication
* Secure communication with some third party APIs
* VIA profile download

The Aruba products listed above include support for TLS 1.2.  An attacker successfully 
carrying out the attack described by CVE-2014-3511 could cause a TLS connection to fall 
back to TLS 1.0.  The impact would be that stronger ciphersuites only available in TLS 1.2, 
such as ciphersuites that make use of SHA256/SHA384, would not be available, and instead 
the connection would make use of SHA1 for integrity protection.  Note that while SHA1
is expected to become deprecated in the future, it is not today considered particularly
weak.

Aruba Networks participates in the Common Vulnerability Scoring System (CVSS). This 
rating system is a vendor agnostic, industry open standard designed to convey 
vulnerability severity and help determine urgency and priority of response. The CVSS score
for this release is:

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N)



MITIGATION

Other than customers using Suite B cryptography, most Aruba customers do not depend on 
TLS 1.2 being available.  If the use of TLS 1.2 forms a critical layer of security in 
your environment, Aruba recommends that TLS communication be made available only to 
trusted network segments.  Note that if Suite B cryptography is in use only for 
IPsec communication, this vulnerability has no impact.

Otherwise, given the low security impact of this vulnerability, Aruba does not recommend 
any additional mitigation steps.  Upgrade to the latest supported version of software 
during your next regularly scheduled maintenance window.


 
SOLUTION
 
Aruba Networks plans to publish patch releases for the affected products.  We 
recommend upgrading to these releases during your next regularly scheduled 
maintenance window.

ArubaOS 6.3.1.11 (estimated release date 09/19/2014)
ArubaOS 6.4.2.1 (estimated release date 09/10/2014)
ClearPass 6.3.5 (estimated release date 09/08/2014)
ClearPass 6.4.1 (estimated release date 09/30/2014)
AirWave 7.7.13 (estimated release date 09/02/2014)
AirWave 8.0.4 (estimated release date 09/02/2014)
  Note:  If upgrading your AirWave Server to either version 7.7.13 or 8.0.4 is not 
         feasible,  you may instead update OpenSSL manually using 'yum'.


+----------------------------------------------------

OBTAINING FIXED FIRMWARE

Aruba customers can obtain the firmware on the support website:
	http://support.arubanetworks.com


Aruba Support contacts are as follows:

	1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)
	
	+1-408-754-1200 (toll call from anywhere in the world)

	The full contact list is at:
	http://www.arubanetworks.com/support-services/support-program/contact-support/

	e-mail: support(at)arubanetworks.com

Please do not contact "sirt(at)arubanetworks.com" for software upgrades.


STATUS OF THIS NOTICE: Initial

Although Aruba Networks cannot guarantee the accuracy of all statements
in this advisory, all of the facts have been checked to the best of our
ability. Aruba Networks does not anticipate issuing updated versions of
this advisory unless there is some material change in the facts. Should
there be a significant change in the facts, Aruba Networks may update
this advisory.

A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an uncontrolled
copy, and may lack important information or contain factual errors.


DISTRIBUTION OF THIS ANNOUNCEMENT

This advisory will be posted on Aruba's website at:
http://www.arubanetworks.com/support/alerts/aid-08182014.txt


Future updates of this advisory, if any, will be placed on Aruba's worldwide
website, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
above URL for any updates.


REVISION HISTORY
      Revision 1.0 / 08-19-2014 / Initial release


ARUBA SIRT SECURITY PROCEDURES

Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at

http://www.arubanetworks.com/support-services/security-bulletins/
   
  
For reporting *NEW* Aruba Networks security issues, email can be sent to
sirt(at)arubanetworks.com. For sensitive information we encourage the use of 
PGP encryption. Our public keys can be found at 

http://www.arubanetworks.com/support-services/security-bulletins/


(c) Copyright 2014 by Aruba Networks, Inc.
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBCAAGBQJT89/PAAoJEJj+CcpFhYbZHZwH+gO3QbEV6oOsjP08MeNDeq0J
LDU9JhcX2pV2XKgIQOC1HitlPR4tbM7hfRqXAe5zSmoIRUGuKn7aMITgx8ZuUfQ7
ywnz+lIri0zh2vwTnwFWQlKIHEDLynfaL1T/T3ur0+aVT7AhFFpLaS6SRvUGXUEw
MgoF1MTOxRpwkt5qx5B13LWsCj2A9x81t5KqiUBQt4U1TGBdLfwv4IfxDxMpIQt4
/n/BKWozbkySbWO1Y9XRwgKB1Rpgibc/XWHC08ZNBow8/yneJd4/wr6D50KvQadx
XE5mT8OmtV8078suDMZ9E3EG+Ft/8OudkFgxut3pInqnI4Z9nb9uPOAshiKfVls=
=AHmx
-----END PGP SIGNATURE-----