-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Advisory Number 08182014
CVE-2014-3511
TITLE
OpenSSL Multiple Vulnerabilities (August 2014)
SUMMARY
On August 6, 2014, the OpenSSL Foundation announced multiple vulnerabilities in OpenSSL
through the advisory at https://www.openssl.org/news/secadv_20140806.txt. A number of
Aruba Networks products make use of OpenSSL. This advisory has been created to describe
Aruba's exposure to these vulnerabilities.
AFFECTED PRODUCTS
Information leak in pretty printing functions (CVE-2014-3508)
- No Aruba products affected
Crash with SRP ciphersuite in Server Hello message (CVE-2014-5139)
- No Aruba products affected
Race condition in ssl_parse_serverhello_tlsext (CVE-2014-3509)
- No Aruba products affected
Double Free when processing DTLS packets (CVE-2014-3505)
- No Aruba products affected
DTLS memory exhaustion (CVE-2014-3506)
- No Aruba products affected
DTLS memory leak from zero-length fragments (CVE-2014-3507)
- No Aruba products affected
OpenSSL DTLS anonymous EC(DH) denial of service (CVE-2014-3510)
- No Aruba products affected
OpenSSL TLS protocol downgrade attack (CVE-2014-3511)
- Multiple Aruba products impacted. See below for further details.
SRP buffer overrun (CVE-2014-3512)
- No Aruba products affected
AFFECTED VERSIONS (for CVE-2014-3511)
- ArubaOS (6.3.x prior to 6.3.1.11, 6.4.x prior to 6.4.2.1 - including FIPS versions)
- ClearPass (6.3.x prior to 6.3.5, 6.4.x prior to 6.4.1)
- AirWave (7.7.x prior to 7.7.13, 8.0.x prior to 8.0.4)
NOT AFFECTED
- ArubaOS 6.2.x, 6.1.x, 5.x, and 3.4.x
- ArubaOS 7.x
- Aruba Central (already patched)
- Aruba Instant (IAP)
- Aruba VIA
- MeshOS
DETAILS
A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
TLS 1.0 instead of higher protocol versions when the ClientHello message is
badly fragmented. This allows a man-in-the-middle attacker to force a
downgrade to TLS 1.0 even if both the server and the client support a higher
protocol version, by modifying the client's TLS records.
DISCOVERY
These vulnerabilities were announced publicly by the OpenSSL Foundation.
IMPACT
OpenSSL is used in a variety of ways in Aruba products, including:
* HTTPS communications via the Administrative Web GUI
* HTTPS communications via Captive Portal
* 802.1X
* Secure LDAP communication
* Secure communication with some third party APIs
* VIA profile download
The Aruba products listed above include support for TLS 1.2. An attacker successfully
carrying out the attack described by CVE-2014-3511 could cause a TLS connection to fall
back to TLS 1.0. The impact would be that stronger ciphersuites only available in TLS 1.2,
such as ciphersuites that make use of SHA256/SHA384, would not be available, and instead
the connection would make use of SHA1 for integrity protection. Note that while SHA1
is expected to become deprecated in the future, it is not today considered particularly
weak.
Aruba Networks participates in the Common Vulnerability Scoring System (CVSS). This
rating system is a vendor agnostic, industry open standard designed to convey
vulnerability severity and help determine urgency and priority of response. The CVSS score
for this release is:
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N)
MITIGATION
Other than customers using Suite B cryptography, most Aruba customers do not depend on
TLS 1.2 being available. If the use of TLS 1.2 forms a critical layer of security in
your environment, Aruba recommends that TLS communication be made available only to
trusted network segments. Note that if Suite B cryptography is in use only for
IPsec communication, this vulnerability has no impact.
Otherwise, given the low security impact of this vulnerability, Aruba does not recommend
any additional mitigation steps. Upgrade to the latest supported version of software
during your next regularly scheduled maintenance window.
SOLUTION
Aruba Networks plans to publish patch releases for the affected products. We
recommend upgrading to these releases during your next regularly scheduled
maintenance window.
ArubaOS 6.3.1.11 (estimated release date 09/19/2014)
ArubaOS 6.4.2.1 (estimated release date 09/10/2014)
ClearPass 6.3.5 (estimated release date 09/08/2014)
ClearPass 6.4.1 (estimated release date 09/30/2014)
AirWave 7.7.13 (estimated release date 09/02/2014)
AirWave 8.0.4 (estimated release date 09/02/2014)
Note: If upgrading your AirWave Server to either version 7.7.13 or 8.0.4 is not
feasible, you may instead update OpenSSL manually using 'yum'.
+----------------------------------------------------
OBTAINING FIXED FIRMWARE
Aruba customers can obtain the firmware on the support website:
http://support.arubanetworks.com
Aruba Support contacts are as follows:
1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)
+1-408-754-1200 (toll call from anywhere in the world)
The full contact list is at:
http://www.arubanetworks.com/support-services/support-program/contact-support/
e-mail: support(at)arubanetworks.com
Please do not contact "sirt(at)arubanetworks.com" for software upgrades.
STATUS OF THIS NOTICE: Initial
Although Aruba Networks cannot guarantee the accuracy of all statements
in this advisory, all of the facts have been checked to the best of our
ability. Aruba Networks does not anticipate issuing updated versions of
this advisory unless there is some material change in the facts. Should
there be a significant change in the facts, Aruba Networks may update
this advisory.
A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an uncontrolled
copy, and may lack important information or contain factual errors.
DISTRIBUTION OF THIS ANNOUNCEMENT
This advisory will be posted on Aruba's website at:
http://www.arubanetworks.com/support/alerts/aid-08182014.txt
Future updates of this advisory, if any, will be placed on Aruba's worldwide
website, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
above URL for any updates.
REVISION HISTORY
Revision 1.0 / 08-19-2014 / Initial release
ARUBA SIRT SECURITY PROCEDURES
Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at
http://www.arubanetworks.com/support-services/security-bulletins/
For reporting *NEW* Aruba Networks security issues, email can be sent to
sirt(at)arubanetworks.com. For sensitive information we encourage the use of
PGP encryption. Our public keys can be found at
http://www.arubanetworks.com/support-services/security-bulletins/
(c) Copyright 2014 by Aruba Networks, Inc.
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBCAAGBQJT89/PAAoJEJj+CcpFhYbZHZwH+gO3QbEV6oOsjP08MeNDeq0J
LDU9JhcX2pV2XKgIQOC1HitlPR4tbM7hfRqXAe5zSmoIRUGuKn7aMITgx8ZuUfQ7
ywnz+lIri0zh2vwTnwFWQlKIHEDLynfaL1T/T3ur0+aVT7AhFFpLaS6SRvUGXUEw
MgoF1MTOxRpwkt5qx5B13LWsCj2A9x81t5KqiUBQt4U1TGBdLfwv4IfxDxMpIQt4
/n/BKWozbkySbWO1Y9XRwgKB1Rpgibc/XWHC08ZNBow8/yneJd4/wr6D50KvQadx
XE5mT8OmtV8078suDMZ9E3EG+Ft/8OudkFgxut3pInqnI4Z9nb9uPOAshiKfVls=
=AHmx
-----END PGP SIGNATURE-----