Security

last person joined: 17 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Heartbleed - CVE-2014-0160 Problem

Jump to Best Answer
This thread has been viewed 0 times
  • 1.  Heartbleed - CVE-2014-0160 Problem

    Posted Apr 08, 2014 04:50 AM

    We have tried to http://filippo.io/Heartbleed/ web page and found that we hit the valnurability.

     

    Please help. We could not find any info on ARUBA.

     

    Also, according to debian (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743883) all private keys should be changed immediately!

     

     

    Sincerly,

     

    Husnu Demir.

    Network.

    METU



  • 2.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Apr 08, 2014 08:31 AM

    good question, im currently wondering the same and would appriciate a reaction from Aruba.

     

    of course best thing to do is open a support case, but still an announcement by Aruba would help to prevent everyone from doing that :)

     

    btw: rdemir could you add Heartbleed to your subject, makes it easier for other to see it.



  • 3.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Apr 08, 2014 08:41 AM

    ın fact we urged aboutthe situation to our Aruba support for Turkey and they will look tomorrow. We tested and it shows vulnerable and 

     

    show ver
    Aruba Operating System Software.
    ArubaOS (MODEL: Aruba6000), Version 6.3.1.4
    Website: http://www.arubanetworks.com
    Copyright (c) 2002-2014, Aruba Networks, Inc.
    Compiled on 2014-03-18 at 14:06:13 PDT (build 42768) by p4build

    ROM: System Bootstrap, Version CPBoot 1.2.0.0 (build 20527)
    Built: 2009-01-20 18:56:10
    Built by: p4build@re_client_20527


    Switch uptime is 6 days 1 hours 39 minutes 44 seconds
    Reboot Cause: Power Failure (Intent:cause:register ee:ee:0)
    Supervisor Card
    Processor XLR 732 (revision C4) with 1979M bytes of memory.
    32K bytes of non-volatile configuration memory.
    512M bytes of Supervisor Card System flash (model=CF 512MB).

     

     



  • 4.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Apr 08, 2014 11:02 AM

    It seems ClearPass and ArubaOS are impacted:

     

    http://filippo.io/Heartbleed/#clearpass.arubademo.net



  • 5.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Apr 08, 2014 11:12 AM

    seems to be version dependent, got a 6.2.5 version which doesnt seem affected.

     

    airwave 7.6.3 neither.



  • 6.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Apr 08, 2014 11:14 AM

    That test is ClearPass 6.2.5. We have tested with ArubaOS 6.3.1.4 and it seems to be vulnerable.

     

    I'm wondering if FreeRADIUS within ClearPass is also vulnerable.



  • 7.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Apr 08, 2014 11:37 AM

    How do you test ArubaOS version?

     

    Regards,

    Tony Marques



  • 8.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Apr 08, 2014 12:01 PM

    @tmarques wrote:

    How do you test ArubaOS version?

     

    Regards,

    Tony Marques


    what do you exactly mean? you can test it via the webinterface, that is the part that probably uses OpenSSL.

     

    if you webinterface isnt reachable via the internet you already excluded a big attack surface. within your own network you might be able to restrict access only from a management subnet.

     

    to test internal you can use the PoC python script or use this openssl command: openssl s_client -connect google.com:443 -tlsextdebug and look for the server extension heartbeat string in the begin.



  • 9.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Apr 08, 2014 12:08 PM

    You will probably be vulnerable when:

     

    * You are using a captive portal which is running on the controller and/or ClearPass

    * You are using the controller for VIA

     



  • 10.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Apr 08, 2014 01:09 PM

     

    Aruba controllers are also impacted.

     

    One POC run against a 7220 controllers running 6.3.1.4 returned back what looks to be part of an XML configuration file and at least CA information for the pub/priv key combination that ships as the default cert on the controllers. 

     

    I went into our Airwave 7.7.10 system and ran "yum update" which installed a patched openssl via CentOS upstream and the POC fails against it.

     


    #7220


  • 11.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Apr 08, 2014 01:13 PM

    Everyone -

     

    I'm the security product manager at Aruba.  Please note that this is not a formal communication, we will be posting a formal communication on our website according to our security policy shortly.  That update will be posted here - http://www.arubanetworks.com/support-services/security-bulletins/

     

    We are still assessing our exposure to this vulnerability, but it clearly impacts AOS 6.3.x and AOS 6.4.x.  We are working on updates to these as I type this, with the intention of publishing them as soon as we can finish and complete testing.

     

    Until then, reducing access to the web GUI via control plane ACLs makes sense.  Other steps to limit exposure will be published as they are identified, and included in the security bulletin.

     

    We are doing a careful analysis of the impact - the problem with this attack is that it gives the attacker access to some parts of the memory of the attacked system.  The advice on the internet to change all private keys is based on the fear that the key could be in this segment of memory.  We're validating whether or not this is the case, but you will have to decide your organization's tolerance to this particular risk.

     

    Thanks for your understanding, and we'll keep you informed.

     



  • 12.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Apr 08, 2014 04:49 PM

    We have also done a POC where we were able to get the session-id from a logged-in Web-GUI user and then use that session-id to get access to the management console of the controller.

     

    This is quite serious, limiting exposure of the controller's webserver is key here.



  • 13.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Apr 08, 2014 08:31 PM

    Which version had this behaviour?  This is completely different than the curren SSL vunlerability and it is something we've done several patches to fix.



  • 14.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Apr 09, 2014 03:56 AM

    This is at ArubaOS 6.3.1.4. Drop me an e-mail at arjan [at] securelink DOT nl if you want the output from ssltest.py.

     

    @ hdemir: you can use the control plane firewall for this. This is "firewall cp" in the CLI.



  • 15.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Apr 09, 2014 06:36 AM

    i got this from aruba:

     

    -----BEGIN PGP SIGNED MESSAGE-----

    Hash: SHA1

     

    Dear Aruba Networks Customer/Partner:

     

    The purpose of this advisory is to address an important issue that affects Aruba Products that use the OpenSSL 1.0.1 Library.

     

    Advisory Number 040814

    CVE-2014-0160

     

     

    TITLE

     

    OpenSSL 1.0.1 library (Heartbleed) vulnerability.

     

     

    SUMMARY

     

    There is a very serious vulnerability that has been discovered in the OpenSSL 1.0.1 library. This vulnerability can allow an external attacker to extract segments of memory from a remote system without leaving any traces. This memory could contain vital security information, including private keys. These keys, in turn, could be used to mount a man-in-the-middle attack.

     

     

    AFFECTED VERSIONS

     

    — ArubaOS 6.3.x, 6.4.x

    — ClearPass 6.1.x, 6.2.x, 6.3.x

     

    Previous versions of these products used an earlier version of OpenSSL

    that is not vulnerable. No other Aruba products, including AirWave, Instant,

    run these compromised versions of OpenSSL. Aruba Central, Aruba Network’s

    cloud-based Wi-Fi offering, upgraded their web infrastructure to the latest,

    safe, version of OpenSSL on April 7 after the attack was first published.

     

     

    DETAILS

     

    OpenSSL is a very widely used library, and this vulnerability is likely to

    affect many systems and websites. Aruba Networks uses this library in

    different products to secure communications between our infrastructure and

    various clients. This bug is in OpenSSL's implementation of the TLS/DTLS

    (transport layer security protocols) heartbeat extension (RFC6520).

    When exploited it leads to the leak from the server to the client. 

    In some cases it has been demonstrated that key material may be part of

    this memory leak.

     

     

    DISCOVERY

     

    This vulnerability was announced through CVE-2014-0160.

     

     

    IMPACT

     

    OpenSSL is used in a variety of ways in Aruba products, including:

    * HTTPS communications via the Administrative Web GUI

    * HTTPS communications via Captive Portals

    * Secure RADIUS communication

    * Secure communication with some third party APIs

     

    CVSS v2 Base Score:5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N)

     

     

    MITIGATION

     

    As always, Aruba Networks recommends that best security practices are

    followed, including reduction of possible attack surface areas by use

    of access control methods such as network-level ACLs to restrict access.

    However, given the ubiquitous use of OpenSSL, this may not completely

    protect your infrastructure.

     

     

    SOLUTION

     

    Aruba Networks will be publishing patch releases for the effected products

    by EOB April 10, 2014. We recommend that all customers upgrade to these

    versions immediately.

     

    ArubaOS 6.3.1.5

    ArubaOS 6.4.0.3

    ClearPass 6.1.X

    ClearPass 6.2.X

    ClearPass 6.3.X

     

    Given that there is a chance that key material may already

    have been compromised, we are further advising customers to consider

    replacing your certificates after the upgrade is completed.

     

    +----------------------------------------------------

     

    OBTAINING FIXED FIRMWARE

     

    Aruba customers can obtain the firmware on the support website:

                    http://support.arubanetworks.com

     

     

    Aruba Support contacts are as follows:

     

                    1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)

                   

                    +1-408-754-1200 (toll call from anywhere in the world)

     

                    The full contact list is at:

                    http://www.arubanetworks.com/support-services/support-program/contact-support/

     

                    e-mail: support(at)arubanetworks.com

     

    Please, do not contact either "wsirt(at)arubanetworks.com" or

    "security(at)arubanetworks.com" for software upgrades.

     

     

    EXPLOITATION AND PUBLIC ANNOUNCEMENTS

     

    This vulnerability will be announced at

     

    Aruba W.S.I.R.T. Advisory:

    http://www.arubanetworks.com/support/alerts/aid-040814.asc

     

     

    STATUS OF THIS NOTICE: Final

     

    Although Aruba Networks cannot guarantee the accuracy of all statements

    in this advisory, all of the facts have been checked to the best of our

    ability. Aruba Networks does not anticipate issuing updated versions of

    this advisory unless there is some material change in the facts. Should

    there be a significant change in the facts, Aruba Networks may update

    this advisory.

     

    A stand-alone copy or paraphrase of the text of this security advisory

    that omits the distribution URL in the following section is an uncontrolled

    copy, and may lack important information or contain factual errors.

     

     

    DISTRIBUTION OF THIS ANNOUNCEMENT

     

    This advisory will be posted on Aruba's website at:

    http://www.arubanetworks.com/support/alerts/aid-040814.asc

     

     

    Future updates of this advisory, if any, will be placed on Aruba's worldwide

    website, but may or may not be actively announced on mailing lists or

    newsgroups. Users concerned about this problem are encouraged to check the

    above URL for any updates.

     

     

    REVISION HISTORY

     

          Revision 1.0 / 04-08-2014 / Initial release

     

     

    ARUBA WSIRT SECURITY PROCEDURES

     

    Complete information on reporting security vulnerabilities in Aruba Networks

    products, obtaining assistance with security incidents is available at

     

    http://www.arubanetworks.com/support-services/security-bulletins/

      

     

    For reporting *NEW* Aruba Networks security issues, email can be sent to

    wsirt(at)arubanetworks.com or security(at)arubanetworks.com. For sensitive

    information we encourage the use of PGP encryption. Our public keys can be

    found at

     

    http://www.arubanetworks.com/support-services/security-bulletins/

     

     

    (c) Copyright 2014 by Aruba Networks, Inc.

    This advisory may be redistributed freely after the release date given at

    the top of the text, provided that redistributed copies are complete and

    unmodified, including all date and version information.

     

    -----BEGIN PGP SIGNATURE-----

    Version: GnuPG v2.0.20 (MingW32)

     

    iEYEARECAAYFAlNFCRYACgkQp6KijA4qefWDrwCgqLLPkAbhCUEXRGuz7wHmPeOY

    H7EAoNG4mdPkU5CGx4UjmQWHkLYZJz7y

    =VkbY

    -----END PGP SIGNATURE-----

     



  • 16.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Apr 09, 2014 06:54 AM

    Thanks for the tip. We ask this for a long time from aruba and nobody tell about this feature. We will futher investigate how to use this "firewall cp".

     

    hdemir.

     

     

     



  • 17.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Apr 09, 2014 06:59 AM

    Please note the control plane firewall was added in ArubaOS 6.3.



  • 18.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Apr 09, 2014 02:01 AM

    Thanks for the info. I would like to remind the need for the "Management ACL" infrastructure for easy management. If we had such a function in ArubaOS;

     

    management-ip 10.0.0.1

     

    will suffice to protect the controller.

     

    Thanks again.

     



  • 19.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Apr 09, 2014 10:34 AM

    Where in the Aruba Support Center -> Download software I need to go to download the pach?

     

    The pach is a OS update?



  • 20.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Apr 10, 2014 02:21 AM

    Update is released...

    it's in the support center...



  • 21.  RE: Heartbleed - CVE-2014-0160 Problem
    Best Answer

    Posted Apr 10, 2014 02:50 AM
      |   view attached

    Hello all,

     
    We have just released a patch for the OpenSSL library vulnerability “Heartbleed bug”, CVE-2014-0160.  
    • For ClearPass 6.1 customers, you can apply this patch on all minor versions (6.1.1, 6.1.2, 6.1.3 and 6.1.4). 
    • For ClearPass 6.2. customers, you have to update to 6.2.6 cumulative patch and then apply this patch. Please review the attached README  for more information on this.
    • For ClearPass 6.3 customers, you have to update to 6.3.1 cumulative patch and then apply this patch. Please review the attached README for more information on this.
    In ClearPass UI, the patch should be visible on the Software Updates screen under the section “Firmware and Patch Updates” . It is also available on our support site (support.arubanetworks.com) at the following locations for offline update.  
     
    Downloads —> ClearPass —> Policy Manager —> Archives —> 6.1.0 —> Patches
     
    Downloads —> ClearPass —> Policy Manager —> Archives —> 6.2.0 —> Patches
     
    Downloads —> ClearPass —> Policy Manager —> Current Release —> Patches


  • 22.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Apr 10, 2014 10:05 AM

    Has anyone upgraded to ArubaOS 6.1.3.5 yet and if so any issues they've encountered with this new release?



  • 23.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Apr 10, 2014 10:09 AM

    i upgraded already and all went smooth !

    the only changes in this firmware is the sec-fix



  • 24.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Apr 10, 2014 10:11 AM

    Hi Martin,

     

    Just to clarify, we're talking WLAN controller OS not ClearPass correct?



  • 25.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Apr 10, 2014 10:13 AM

    Yes, i'm talking about the controller OS



  • 26.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Apr 10, 2014 10:25 AM

    I aplogize, I meant to ask if anyone has upgraded to controller OS 6.3.1.5.



  • 27.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Apr 10, 2014 10:33 AM

    well, i uograded to controller os 6.3.1.5 ;-)



  • 28.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Apr 10, 2014 10:50 AM

    We tried and it not not working now? We are working on it to get back online again.

     

    hdemir.

     



  • 29.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Apr 10, 2014 02:41 PM

    We have seen RADIUS can vulnerable to the OpenSSL heartbleed bug as well.

     

    You can extract upto 1KB of memory from the RADIUS server. Also see the announcement from FreeRADIUS: http://freeradius.org/security.html - ClearPass is using FreeRADIUS under the hood. 

     

    So patch up! Upgrade/update your ClearPass :)



  • 30.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Apr 14, 2014 02:28 AM

    I dont see any download link on the support site. Is there a diret link to download the patch?

     

    Also the hyperlink in your message for support.arubanetworks.com takes it to the email login for Aruba instead of the support site.

     

    I am not sure how this can be the solution when it is not!



  • 31.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Apr 14, 2014 02:35 AM
    You must sing in to get access to downloads.

    http://support.arubanetworks.com/DownloadSoftware/tabid/75/DMXModule/510/Command/Core_Download/Default.aspx?EntryId=13720

    You can just check for updates an your CPPM and it should be listed.


  • 32.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Apr 14, 2014 02:38 AM

    Hi Troy, I dont have an account and just registered on the support site, which might take time.

     

    I already checked the CPPM for updates and didn't see it there and then I landed here for direct links.



  • 33.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Apr 14, 2014 02:43 AM

    did you click Check status now on the CPPM it will show up if you have a valid subscription ID. there are no direct downloads unless you have a support account. 



  • 34.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Apr 14, 2014 02:47 AM
      |   view attached

    Hi Troy, I didn't try Check Now before as the last checked time was coming up as todays date.

     

    After your message, I also clicked on Check Now and still it didn't show the 6.2.6 update available.

    (Image Attached)



  • 35.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Apr 14, 2014 02:50 AM
    The second line item is the 6.2.6 patch and once that is installed the OpenSSL patch will show up.


  • 36.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Apr 14, 2014 05:48 AM

    It worked, thanks!



  • 37.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Jun 06, 2014 07:22 AM

    HI All

     

    Which version of OpenSSL was CPPM and ArubaOS patched to? As their seems to be further information indicating an issue that requires an upgrade to v 1.0.1h. Are further patches likely to be made available?



  • 38.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Jun 06, 2014 07:23 AM

    Link for OpenSSL advisory notice: http://www.openssl.org/news/secadv_20140605.txt



  • 39.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Jun 06, 2014 07:32 AM


  • 40.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Jun 06, 2014 07:44 AM

    Oops! So it was. Thanks Troy



  • 41.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Apr 11, 2014 07:37 AM

    This all seems a little confusing.  My Aruba controller is running 6.3.0.2_40034  We are not using Clearpass.

     

    The only patches I am aware off are for Clearpass.  Do I need to upgrade/patch my controller?  Please can you link direct to the location of the patch.

     

    I have allocated downtime this evening to carry out the fix, so I would appreciate someone getting back to me ASAP.

     

    THank you.



  • 42.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Apr 11, 2014 07:40 AM

    Yes, you should upgrade. The patch is part of the 6.3.1.5 code

     

    http://support.arubanetworks.com/DownloadSoftware/tabid/75/DMXModule/510/EntryId/13660/Default.aspx

     



  • 43.  RE: Heartbleed - CVE-2014-0160 Problem

    Posted Apr 11, 2014 07:41 AM

    Thank you!