Security

 View Only
Expand all | Collapse all

Security/vulnerability advisories

This thread has been viewed 61 times
  • 1.  Security/vulnerability advisories

    Posted Jun 30, 2014 04:01 PM

    Please subscribe to this thread if you would like to be notified of Aruba security or vulnerability advisories.  Currently we email these to anyone registered on support.arubanetworks.com, but some people do not have support accounts so we will be providing this thread as an alternative.

     

    -Jon



  • 2.  RE: Security/vulnerability advisories

    Posted Jul 03, 2014 03:18 PM
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    Advisory Number 07032014
    
    CVE-2014-4013 - SQL Injection vulnerability in ClearPass Policy Manager
    CVE-2014-4031 - Credential Disclosure vulnerability in ClearPass Policy Manager
    
    
    TITLE
     
    SQL Injection and Credential Disclosure Vulnerability in Aruba Networks ClearPass Policy Manager 
     
    
    SUMMARY
     
    SQL Injection and Credential Disclosure vulnerabilities have been discovered in
    Aruba Networks ClearPass Policy Manager. This advisory describes ClearPass' exposure to these 
    vulnerabilities.
    
    
    AFFECTED VERSIONS
     
    - -- ClearPass 5.X, 6.0.X, 6.1.X, 6.2.X, 6.3.X
     
    
    DETAILS
     
    An attacker with access to ClearPass Policy Manager's web interface can inject SQL commands
    using a carefully crafted request. In addition, such an attacker can force the disclosure of 
    credentials used to access the ClearPass Policy Manager database(s).  The attacker must
    have valid credentials to access ClearPass Policy Manager, although an administrator-level
    login is not necessary.
    
     
    DISCOVERY
    
    These vulnerabilities were discovered by Nate Roberts from Wipfli LLP in June, 2014.
    Aruba Networks would like to thank Nate for his assistance.
    
    
    IMPACT
    
    The attacker can discover credentials used to access ClearPass Policy Manager, as well as 
    discover additional information about the system such as the version number of ClearPass' 
    database engine. 
    
    Aruba Networks participates in the Common Vulnerability Scoring System (CVSS).
    This rating system is a vendor agnostic, industry open standard designed to 
    convey vulnerability severity and help determine urgency and priority of 
    response. 
    
    CVE-2014-4013: CVSS v2 Base Score: 4.9 (MEDIUM) (AV:A/AC:M/Au:S/C:P/I:P/A:P) 
    CVE-2014-4031: CVSS v2 Base Score: 5.5 (MEDIUM) (AV:A/AC:H/Au:S/C:P/I:P/A:C) 
    
    
    MITIGATION
     
    Aruba Networks recommends that all customers use access control methods such 
    as network-level ACLs to restrict access to the ClearPass Policy Manager UI. 
    If using ClearPass 6.1.0 and above, Aruba recommends that customers use 
    Access Control options available within the ClearPass administration interface 
    to permit access to ClearPass Policy Manager from secure network locations only.
     
     
    SOLUTION
    
    Aruba Networks recommends that all customers running either of the below 6.1.X 
    or 6.2.X versions apply the corresponding Security Patch released July 2014, 
    as soon as practical.
    
    	- ClearPass 6.1.4.55458, 6.1.4.61696, or 
    	- ClearPass 6.2.6.62196.
    
    Customers running either of the below 6.3.X versions apply the 6.3.4 
    (Cumulative Patch 4 – released July 2014), as soon as practical.
    
    	- ClearPass 6.3.0.60537, or 6.3.0.60730 or 6.3.0.61712, or 
    	- ClearPass 6.3.1.62009, or
    	- ClearPass 6.3.2.63239, and 
    	- ClearPass 6.3.3.63748 
    
    Customers running ClearPass versions prior to 6.1 are urged to upgrade to 
    ClearPass Policy Manager 6.1.4 as soon as practical.
    
    +----------------------------------------------------
    
    OBTAINING FIXED SOFTWARE
    
    Aruba customers can obtain software updates on the support website:
    	http://support.arubanetworks.com
    
    
    Aruba Support contacts are as follows:
    
    	1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)
    	
    	+1-408-754-1200 (toll call from anywhere in the world)
    
    	The full contact list is at:
    	http://www.arubanetworks.com/support-services/support-program/contact-support/
    
    	e-mail: support(at)arubanetworks.com
    
    Please do not contact "sirt(at)arubanetworks.com" for software upgrades.
    
    
    STATUS OF THIS NOTICE: Preliminary
    
    Although Aruba Networks cannot guarantee the accuracy of all statements
    in this advisory, all of the facts have been checked to the best of our
    ability. Aruba Networks does not anticipate issuing updated versions of
    this advisory unless there is some material change in the facts. Should
    there be a significant change in the facts, Aruba Networks may update
    this advisory.
    
    A stand-alone copy or paraphrase of the text of this security advisory
    that omits the distribution URL in the following section is an uncontrolled
    copy, and may lack important information or contain factual errors.
    
    
    DISTRIBUTION OF THIS ANNOUNCEMENT
    
    This advisory will be posted on Aruba's website at:
    http://www.arubanetworks.com/support/alerts/aid-07032014.txt
    
    
    Future updates of this advisory, if any, will be placed on Aruba's worldwide
    website, but may or may not be actively announced on mailing lists or
    newsgroups. Users concerned about this problem are encouraged to check the
    above URL for any updates.
    
    
    REVISION HISTORY
          Revision 1.0 / 07-03-2014 / Initial release
    
    
    ARUBA SIRT SECURITY PROCEDURES
    
    Complete information on reporting security vulnerabilities in Aruba Networks
    products, obtaining assistance with security incidents is available at
    
    http://www.arubanetworks.com/support-services/security-bulletins/
       
      
    For reporting *NEW* Aruba Networks security issues, email can be sent to
    sirt(at)arubanetworks.com. For sensitive information we encourage the use of 
    PGP encryption. Our public keys can be found at 
    
    http://www.arubanetworks.com/support-services/security-bulletins/
    
    
    (c) Copyright 2014 by Aruba Networks, Inc.
    This advisory may be redistributed freely after the release date given at
    the top of the text, provided that redistributed copies are complete and
    unmodified, including all date and version information.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.22 (MingW32)
    
    iQEcBAEBCAAGBQJTsqwlAAoJEJj+CcpFhYbZY34IALflVWv5ANyMF5lmk5L/GvXf
    dIGtFdZeUYTqO7fB2w412RQdClRM6jxAN1oUpVmdoxpGNjgvyKI8e/+LQMLveHQN
    nK2eoBQGohWSQjHxbNf91KGTOmmyQu5ldSdSu6l8SaSYLzVBsWIg1HdfCH2q+IE2
    TUHWNSBDikTaK0vgNVD2eLWF2rknJJImdg9jhSaOrmrTGMbNZucib2VdEwJ0ezPy
    SfjhlGN+DjQQQ6UoMXP5GOYDp2INwm5ZpWHH/7Qe5Gyqoiq/dl0OD0gGFOjfNr2t
    UyaDkGKEXMhgGOkA/rty2gmrCpOMDCaaz6ejA25GphPs6sFuYayh30gIHY1SFT8=
    =jOvo
    -----END PGP SIGNATURE-----


  • 3.  RE: Security/vulnerability advisories

    Posted Aug 19, 2014 07:41 PM
      |   view attached

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    Advisory Number 08182014
    CVE-2014-3511


    TITLE

    OpenSSL Multiple Vulnerabilities (August 2014)

    SUMMARY

    On August 6, 2014, the OpenSSL Foundation announced multiple vulnerabilities in OpenSSL
    through the advisory at https://www.openssl.org/news/secadv_20140806.txt. A number of
    Aruba Networks products make use of OpenSSL. This advisory has been created to describe
    Aruba's exposure to these vulnerabilities.


    AFFECTED PRODUCTS
    Information leak in pretty printing functions (CVE-2014-3508)
    - No Aruba products affected

    Crash with SRP ciphersuite in Server Hello message (CVE-2014-5139)
    - No Aruba products affected

    Race condition in ssl_parse_serverhello_tlsext (CVE-2014-3509)
    - No Aruba products affected

    Double Free when processing DTLS packets (CVE-2014-3505)
    - No Aruba products affected

    DTLS memory exhaustion (CVE-2014-3506)
    - No Aruba products affected

    DTLS memory leak from zero-length fragments (CVE-2014-3507)
    - No Aruba products affected

    OpenSSL DTLS anonymous EC(DH) denial of service (CVE-2014-3510)
    - No Aruba products affected

    OpenSSL TLS protocol downgrade attack (CVE-2014-3511)
    - Multiple Aruba products impacted. See below for further details.

    SRP buffer overrun (CVE-2014-3512)
    - No Aruba products affected

     

    AFFECTED VERSIONS (for CVE-2014-3511)
    - ArubaOS (6.3.x prior to 6.3.1.11, 6.4.x prior to 6.4.2.1 - including FIPS versions)
    - ClearPass (6.3.x prior to 6.3.5, 6.4.x prior to 6.4.1)
    - AirWave (7.7.x prior to 7.7.13, 8.0.x prior to 8.0.4)

    NOT AFFECTED
    - ArubaOS 6.2.x, 6.1.x, 5.x, and 3.4.x
    - ArubaOS 7.x
    - Aruba Central (already patched)
    - Aruba Instant (IAP)
    - Aruba VIA
    - MeshOS


    DETAILS

    A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
    TLS 1.0 instead of higher protocol versions when the ClientHello message is
    badly fragmented. This allows a man-in-the-middle attacker to force a
    downgrade to TLS 1.0 even if both the server and the client support a higher
    protocol version, by modifying the client's TLS records.


    DISCOVERY

    These vulnerabilities were announced publicly by the OpenSSL Foundation.

     

    IMPACT

    OpenSSL is used in a variety of ways in Aruba products, including:
    * HTTPS communications via the Administrative Web GUI
    * HTTPS communications via Captive Portal
    * 802.1X
    * Secure LDAP communication
    * Secure communication with some third party APIs
    * VIA profile download

    The Aruba products listed above include support for TLS 1.2. An attacker successfully
    carrying out the attack described by CVE-2014-3511 could cause a TLS connection to fall
    back to TLS 1.0. The impact would be that stronger ciphersuites only available in TLS 1.2,
    such as ciphersuites that make use of SHA256/SHA384, would not be available, and instead
    the connection would make use of SHA1 for integrity protection. Note that while SHA1
    is expected to become deprecated in the future, it is not today considered particularly
    weak.

    Aruba Networks participates in the Common Vulnerability Scoring System (CVSS). This
    rating system is a vendor agnostic, industry open standard designed to convey
    vulnerability severity and help determine urgency and priority of response. The CVSS score
    for this release is:

    CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N)

     

    MITIGATION

    Other than customers using Suite B cryptography, most Aruba customers do not depend on
    TLS 1.2 being available. If the use of TLS 1.2 forms a critical layer of security in
    your environment, Aruba recommends that TLS communication be made available only to
    trusted network segments. Note that if Suite B cryptography is in use only for
    IPsec communication, this vulnerability has no impact.

    Otherwise, given the low security impact of this vulnerability, Aruba does not recommend
    any additional mitigation steps. Upgrade to the latest supported version of software
    during your next regularly scheduled maintenance window.



    SOLUTION

    Aruba Networks plans to publish patch releases for the affected products. We
    recommend upgrading to these releases during your next regularly scheduled
    maintenance window.

    ArubaOS 6.3.1.11 (estimated release date 09/19/2014)
    ArubaOS 6.4.2.1 (estimated release date 09/10/2014)
    ClearPass 6.3.5 (estimated release date 09/08/2014)
    ClearPass 6.4.1 (estimated release date 09/30/2014)
    AirWave 7.7.13 (estimated release date 09/02/2014)
    AirWave 8.0.4 (estimated release date 09/02/2014)
    Note: If upgrading your AirWave Server to either version 7.7.13 or 8.0.4 is not
    feasible, you may instead update OpenSSL manually using 'yum'.


    +----------------------------------------------------

    OBTAINING FIXED FIRMWARE

    Aruba customers can obtain the firmware on the support website:
    http://support.arubanetworks.com


    Aruba Support contacts are as follows:

    1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)

    +1-408-754-1200 (toll call from anywhere in the world)

    The full contact list is at:
    http://www.arubanetworks.com/support-services/support-program/contact-support/

    e-mail: support(at)arubanetworks.com

    Please do not contact "sirt(at)arubanetworks.com" for software upgrades.


    STATUS OF THIS NOTICE: Initial

    Although Aruba Networks cannot guarantee the accuracy of all statements
    in this advisory, all of the facts have been checked to the best of our
    ability. Aruba Networks does not anticipate issuing updated versions of
    this advisory unless there is some material change in the facts. Should
    there be a significant change in the facts, Aruba Networks may update
    this advisory.

    A stand-alone copy or paraphrase of the text of this security advisory
    that omits the distribution URL in the following section is an uncontrolled
    copy, and may lack important information or contain factual errors.


    DISTRIBUTION OF THIS ANNOUNCEMENT

    This advisory will be posted on Aruba's website at:
    http://www.arubanetworks.com/support/alerts/aid-08182014.txt


    Future updates of this advisory, if any, will be placed on Aruba's worldwide
    website, but may or may not be actively announced on mailing lists or
    newsgroups. Users concerned about this problem are encouraged to check the
    above URL for any updates.


    REVISION HISTORY
    Revision 1.0 / 08-19-2014 / Initial release


    ARUBA SIRT SECURITY PROCEDURES

    Complete information on reporting security vulnerabilities in Aruba Networks
    products, obtaining assistance with security incidents is available at

    http://www.arubanetworks.com/support-services/security-bulletins/


    For reporting *NEW* Aruba Networks security issues, email can be sent to
    sirt(at)arubanetworks.com. For sensitive information we encourage the use of
    PGP encryption. Our public keys can be found at

    http://www.arubanetworks.com/support-services/security-bulletins/


    (c) Copyright 2014 by Aruba Networks, Inc.
    This advisory may be redistributed freely after the release date given at
    the top of the text, provided that redistributed copies are complete and
    unmodified, including all date and version information.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.22 (MingW32)

    iQEcBAEBCAAGBQJT89/PAAoJEJj+CcpFhYbZHZwH+gO3QbEV6oOsjP08MeNDeq0J
    LDU9JhcX2pV2XKgIQOC1HitlPR4tbM7hfRqXAe5zSmoIRUGuKn7aMITgx8ZuUfQ7
    ywnz+lIri0zh2vwTnwFWQlKIHEDLynfaL1T/T3ur0+aVT7AhFFpLaS6SRvUGXUEw
    MgoF1MTOxRpwkt5qx5B13LWsCj2A9x81t5KqiUBQt4U1TGBdLfwv4IfxDxMpIQt4
    /n/BKWozbkySbWO1Y9XRwgKB1Rpgibc/XWHC08ZNBow8/yneJd4/wr6D50KvQadx
    XE5mT8OmtV8078suDMZ9E3EG+Ft/8OudkFgxut3pInqnI4Z9nb9uPOAshiKfVls=
    =AHmx
    -----END PGP SIGNATURE-----

    Attachment(s)

    txt
    aid-08182014.txt   7 KB 1 version


  • 4.  RE: Security/vulnerability advisories

    Posted Sep 29, 2014 08:53 PM

    The following is a revision to last week's advisory. The update should be posted to the public website shortly.

     

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    Advisory Number 09252014
    CVE-2014-6271
    CVE-2014-7169
    CVE-2014-6277
    CVE-2014-6278
    
    
    TITLE
     
    GNU bash Shell Multiple Vulnerabilities ("Shellshock")
     
    
    SUMMARY
     
    On September 24, 2014, a public announcement was made regarding a vulnerability in the GNU
    'bash' shell that could permit remote code execution.  This vulnerability was assigned
    CVE-2014-6271 and fixes were published.  The fix was incomplete, and a second vulnerability
    (CVE-2014-7169) was published.  Over the following days, additional vulnerabilities
    (CVE-2014-6277 and CVE-2014-6278) were also made public. 
    
    Some Aruba products contain the GNU bash shell, and this advisory has been created 
    to describe Aruba's exposure to these vulnerabilities.
    
    
    AFFECTED PRODUCTS
    	- AirWave (All versions prior to 7.7.13, 8.0.x prior to 8.0.4.1)
    	- Clearpass Policy Manager (All versions prior to 6.3.6, 6.4.x prior to 6.4.1)
    	- ALE (all versions prior to 1.2.3)
    	- Amigopod (All versions)
    
    
    NOT AFFECTED
    	- ArubaOS (all versions)
    	- Aruba Central (already patched)
    	- Aruba Instant (IAP)
    	- Aruba VIA
    	- MeshOS
    
    
    DETAILS
    
    Bash supports exporting not just shell variables, but also shell
    functions to other bash instances, via the process environment to
    (indirect) child processes.  Current bash versions use an environment
    variable named by the function name, and a function definition
    starting with “() {” in the variable value to propagate function
    definitions through the environment.  The vulnerability occurs because
    bash does not stop after processing the function definition; it
    continues to parse and execute shell commands following the function
    definition.  If bash is used as an interpreter for network-accessible
    scripts, an attacker could exploit the vulnerability to execute
    arbitrary code.
    
    
     
    DISCOVERY
    
    These vulnerabilities were announced publicly on September 24, 2014.
    
    
    
    IMPACT
    
    Aruba confirms that affected versions of 'bash' are included in the 
    Linux distributions used by AirWave, Amigopod, ALE, and ClearPass.  
    However, current testing and analysis indicates that the vulnerability
    is NOT exploitable over the network by an unauthenticated user.
    
    It is still possible that this vulnerability could be used by an 
    authenticated user to conduct a privilege escalation attack.  Aruba 
    has not yet been able to prove or disprove this vector, given the 
    complexity of the software. Aruba will post revisions of this advisory 
    if new information comes to light indicating a more serious impact.
    
    Aruba Networks participates in the Common Vulnerability Scoring System (CVSS). This 
    rating system is a vendor agnostic, industry open standard designed to convey 
    vulnerability severity and help determine urgency and priority of response. The CVSS score
    for this release is:
    
    CVSS V2 Base Score: 3.6 (LOW) (AV:N/AC:H/Au:S/C:P/I:P/A:N)
    
    
    MITIGATION
    
    Aruba recommends that wherever possible, affected products should not be
    exposed to untrusted networks such as the public Internet.  Apply patches
    as soon as they become available.
    
    
     
    SOLUTION
    
    As of this writing (September 29) the situation is still fluid; patches for bash have
    been published by RedHat and others, but it is unclear if those patches fully fix
    all problems. Aruba Networks has published patch releases for some affected 
    products and will continue to publish patches as new information becomes available.  
    The following versions contain fixes:
    
    ClearPass 6.2.6 patch - scheduled release date October 1, 2014
    ClearPass 6.3.5 patch - scheduled release date October 1, 2014
    ClearPass 6.3.6
    ClearPass 6.4.1 - scheduled release date September 30, 2014
    ALE 1.2.3 - scheduled release date October 1, 2014
    AirWave 7.7.13 - released September 26, 2014
    AirWave 8.0.4.1 - released September 26, 2014
      Note:  If upgrading your AirWave server to either version 7.7.13 or 8.0.4.1 is not 
             feasible,  you may instead update bash manually using 'yum'. The
    	 same procedure is available for ALE.
    
    Amigopod has reached the "End of Development" milestone and will not be updated.
    Customers should update Amigopod installations to ClearPass Guest to address this
    and any future security issues.
    
    +----------------------------------------------------
    
    OBTAINING FIXED FIRMWARE
    
    Aruba customers can obtain the firmware on the support website:
    	http://support.arubanetworks.com
    
    
    Aruba Support contacts are as follows:
    
    	1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)
    	
    	+1-408-754-1200 (toll call from anywhere in the world)
    
    	The full contact list is at:
    	http://www.arubanetworks.com/support-services/support-program/contact-support/
    
    	e-mail: support(at)arubanetworks.com
    
    Please do not contact "sirt(at)arubanetworks.com" for software upgrades.
    
    
    STATUS OF THIS NOTICE: Initial
    
    Although Aruba Networks cannot guarantee the accuracy of all statements
    in this advisory, all of the facts have been checked to the best of our
    ability. Aruba Networks does not anticipate issuing updated versions of
    this advisory unless there is some material change in the facts. Should
    there be a significant change in the facts, Aruba Networks may update
    this advisory.
    
    A stand-alone copy or paraphrase of the text of this security advisory
    that omits the distribution URL in the following section is an uncontrolled
    copy, and may lack important information or contain factual errors.
    
    
    DISTRIBUTION OF THIS ANNOUNCEMENT
    
    This advisory will be posted on Aruba's website at:
    http://www.arubanetworks.com/support/alerts/aid-09252014.txt
    
    
    Future updates of this advisory, if any, will be placed on Aruba's worldwide
    website, but may or may not be actively announced on mailing lists or
    newsgroups. Users concerned about this problem are encouraged to check the
    above URL for any updates.
    
    
    REVISION HISTORY
          Revision 1.0 / 09-25-2014 / Initial release
          Revision 1.1 / 09-29-2014 / Update.  New IMPACT section, updated SOLUTION.
    				  Severity downgraded to LOW.
    
    
    ARUBA SIRT SECURITY PROCEDURES
    
    Complete information on reporting security vulnerabilities in Aruba Networks
    products, obtaining assistance with security incidents is available at
    
    http://www.arubanetworks.com/support-services/security-bulletins/
       
      
    For reporting *NEW* Aruba Networks security issues, email can be sent to
    sirt(at)arubanetworks.com. For sensitive information we encourage the use of 
    PGP encryption. Our public keys can be found at 
    
    http://www.arubanetworks.com/support-services/security-bulletins/
    
    
    (c) Copyright 2014 by Aruba Networks, Inc.
    This advisory may be redistributed freely after the release date given at
    the top of the text, provided that redistributed copies are complete and
    unmodified, including all date and version information.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.22 (MingW32)
    
    iQEcBAEBCAAGBQJUKfz/AAoJEJj+CcpFhYbZwd8H/1+Exfhvvj6G7E+eqLUa7TnZ
    6JnsCoxf+ZK73hi8gP1itkYQ0dVztHlTUmmPcV1S6IWYTDcqxZsssd10IGq6Dl4M
    3oLiCSIAsZnjBxq69zehfkZVS2T4XLa0ZCHlpODyvSBtfNp0amC/w7Y2yTPCXe7P
    rubX9SptSykbab4vb8SUKpUPN9asvbaMs9/MGJU08R+9P5spqY5J3OWK4o+D01xY
    uo4SZ7GM2n+N6ahqBXk2QAC1OO3glC6RHwf7lK7XYVB1AEQ8ZPPvOa0scR9kSC/N
    vRSFwKMd/PgoAcU/2w6JvG4V1Csw9TqNlxx8GiKXCTMM+Faa17+iiIK3PiB5Kgc=
    =p8z4
    -----END PGP SIGNATURE-----
    

     



  • 5.  RE: Security/vulnerability advisories

    Posted Oct 07, 2014 04:17 PM
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    Advisory Number 10072014
    CVE-2014-7299
    
    
    TITLE
     
    ArubaOS Authentication Bypass Vulnerability
     
    
    SUMMARY
     
    A vulnerability has been found in some ArubaOS versions that 
    may permit unauthenticated access to administrative interfaces 
    of Aruba controllers.
    
    
    AFFECTED PRODUCTS
    	- ArubaOS 6.3.1.11
    	- ArubaOS 6.3.1.11-FIPS
    	- ArubaOS 6.4.2.1
    	- ArubaOS 6.4.2.1-FIPS
    
    
    DETAILS
    
    It may be possible to obtain limited administrative privileges
    without valid credentials. The vulnerability affects access over
    SSH; access through WebUI and the serial port is not affected.
    The vulnerability does not provide "root" level access.
    
    
    DISCOVERY
    
    This vulnerability was discovered by Brian Julin of Clark University.
    Aruba would like to thank Mr. Julin for his assistance in
    discovering and reporting this problem.
    
    
    IMPACT
    
    An attacker may be able to login to an affected mobility controller
    and conduct the following type of activities:
     - Issue 'show' commands
     - Obtain encrypted password hashes for administrative accounts
     - View the running configuration
     - Add users to the internal user database with 'guest' rights
    
    CVSS V2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
    
    
    
    MITIGATION
    
    Upgrade your controller to ArubaOS 6.3.1.12 or 6.4.2.2 or as soon 
    as possible. As an alternative, downgrading to 6.3.1.10 or 6.4.2.0 
    will also eliminate the vulnerability.
    
    If upgrading/downgrading is not an option, you may block SSH access
    from untrusted networks, or block it completely.  From the CLI:
    
    (config) #firewall cp
    (config-fw-cp) #ipv4 permit 10.100.1.0 255.255.255.0 proto ssh
    (config-fw-cp) #ipv4 deny any proto ssh
    
    The above will permit SSH only from subnet 10.100.1.0.  You may
    also permit SSH only from specific hosts:
    
    (config) #firewall cp
    (config-fw-cp) #ipv4 permit host 10.100.1.12 proto ssh
    (config-fw-cp) #ipv4 deny any proto ssh
    
    The above will permit SSH only from host 10.100.1.12.  Finally,
    you may block ALL access through SSH:
    
    (config) #firewall cp
    (config-fw-cp) #ipv4 deny any proto ssh
    
    - From the WebUI, navigate to Configuration->Advanced->Stateful Firewall->ACL White List
    where you may add equivalent rules using the "Add" button.
    
    If your controller operates in an IPv6 environment, you should also block
    access through IPV6.
     
    
    SOLUTION
    
    Aruba has made ArubaOS 6.3.1.12 and 6.4.2.2 available for download.  
    The vulnerability is fixed in these versions.
    
    Because encrypted password hashes may have been exposed, we recommend
    that administrative passwords be changed after software is updated.
    
    
    +----------------------------------------------------
    
    OBTAINING FIXED FIRMWARE
    
    Aruba customers can obtain the firmware on the support website:
    	http://support.arubanetworks.com
    
    
    Aruba Support contacts are as follows:
    
    	1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)
    	
    	+1-408-754-1200 (toll call from anywhere in the world)
    
    	The full contact list is at:
    	http://www.arubanetworks.com/support-services/support-program/contact-support/
    
    	e-mail: support(at)arubanetworks.com
    
    Please do not contact "sirt(at)arubanetworks.com" for software upgrades.
    
    
    STATUS OF THIS NOTICE: Initial
    
    Although Aruba Networks cannot guarantee the accuracy of all statements
    in this advisory, all of the facts have been checked to the best of our
    ability. Aruba Networks does not anticipate issuing updated versions of
    this advisory unless there is some material change in the facts. Should
    there be a significant change in the facts, Aruba Networks may update
    this advisory.
    
    A stand-alone copy or paraphrase of the text of this security advisory
    that omits the distribution URL in the following section is an uncontrolled
    copy, and may lack important information or contain factual errors.
    
    
    DISTRIBUTION OF THIS ANNOUNCEMENT
    
    This advisory will be posted on Aruba's website at:
    http://www.arubanetworks.com/support/alerts/aid-10072014.txt
    
    
    Future updates of this advisory, if any, will be placed on Aruba's worldwide
    website, but may or may not be actively announced on mailing lists or
    newsgroups. Users concerned about this problem are encouraged to check the
    above URL for any updates.
    
    
    REVISION HISTORY
          Revision 1.0 / 10-07-2014 / Initial release
    
    
    ARUBA SIRT SECURITY PROCEDURES
    
    Complete information on reporting security vulnerabilities in Aruba Networks
    products, obtaining assistance with security incidents is available at
    
    http://www.arubanetworks.com/support-services/security-bulletins/
       
      
    For reporting *NEW* Aruba Networks security issues, email can be sent to
    sirt(at)arubanetworks.com. For sensitive information we encourage the use of 
    PGP encryption. Our public keys can be found at 
    
    http://www.arubanetworks.com/support-services/security-bulletins/
    
    
    (c) Copyright 2014 by Aruba Networks, Inc.
    This advisory may be redistributed freely after the release date given at
    the top of the text, provided that redistributed copies are complete and
    unmodified, including all date and version information.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.22 (MingW32)
    
    iQEcBAEBCAAGBQJULcxHAAoJEJj+CcpFhYbZ1EcH/0+mjDAXOcSaGczLF+PPPinn
    +xSPx0QfoAzt6hji+yRDP5AwFGts/qfue9WhSdY3wNqypDQoVdz7EvnLFemkGR/g
    N2H7GgiEwnFbY2liJoed8+KQin1PLFl1WofaRHroxm7iOGH1xzwBsAmoztTpv2j0
    sgCJx/Iur+47qaP7hmINWAtDXUWoO9NWVaZM7g0xyDxEAJqACJI4TgMXfzOElRjQ
    vyNh3ybeiWgkCb0dl9UUR/Q0J/fRZW7V6sZz389UGQ0PiwcFYfV+GGJEHo/wEbBN
    tIR2AZnLf+CGkwU0Gn8sLfuODUaNzhYHOGEcTCAgUlfQrRw8tTFzthbkCvydlu0=
    =yklw
    -----END PGP SIGNATURE-----
    

     



  • 6.  RE: Security/vulnerability advisories

    Posted Oct 14, 2014 08:29 PM
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    Advisory Number 10142014
    CVE­2014­3566
    
    
    TITLE
     
    SSL 3.0 "POODLE" Attack
     
    
    SUMMARY
     
    On October 14, 2014, the Google Security Team announced a practical attack
    against the SSL 3.0 protocol that could allow an attacker to recover encrypted 
    plaintext from an HTTPS session.  This advisory describes Aruba's exposure 
    to the attack.
    
    
    AFFECTED PRODUCTS
    	- ArubaOS (all versions)
    	- ClearPass Policy Manager (all versions)
    	- AirWave (all versions)
    	- Aruba Central
    	- Aruba Instant (all versions)
    
    
    NOT AFFECTED
    	- ArubaOS operating in FIPS mode
    	- ClearPass Policy Manager operating in FIPS mode
    
    
    DETAILS
    
    Refer to https://www.openssl.org/~bodo/ssl-poodle.pdf for full details.
    
     
    MITIGATION
    
     All Products
     ============
     All modern browsers support TLSv1 at a minimum, and most also support
     TLSv1.1 and TLSv1.2. We recommend disabling SSLv3 support in the
     browser.  As long as one side of the connection refuses to support
     SSLv3, the attack will be unsuccessful.
    
     ArubaOS
     =======
     ArubaOS when operating in FIPS mode does not support SSLv3.  For non-FIPS
     versions of ArubaOS, HTTPS protocols are configurable.  From the command
     line, the following command will enable only TLSv1:
        (config) #web-server ssl-protocol tlsv1
    
     
    SOLUTION
     
    Aruba Networks plans to publish patch releases for the affected products.  We 
    recommend upgrading to these releases during your next regularly scheduled 
    maintenance window.  Because this information is preliminary, the exact
    method that will be used to mitigate the attack is not yet known.  This 
    advisory will be updated once additional information becomes available.
    
    
    
    
    +----------------------------------------------------
    
    OBTAINING FIXED FIRMWARE
    
    Aruba customers can obtain the firmware on the support website:
    	http://support.arubanetworks.com
    
    
    Aruba Support contacts are as follows:
    
    	1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)
    	
    	+1-408-754-1200 (toll call from anywhere in the world)
    
    	The full contact list is at:
    	http://www.arubanetworks.com/support-services/support-program/contact-support/
    
    	e-mail: support(at)arubanetworks.com
    
    Please do not contact "sirt(at)arubanetworks.com" for software upgrades.
    
    
    STATUS OF THIS NOTICE: Initial
    
    Although Aruba Networks cannot guarantee the accuracy of all statements
    in this advisory, all of the facts have been checked to the best of our
    ability. Aruba Networks does not anticipate issuing updated versions of
    this advisory unless there is some material change in the facts. Should
    there be a significant change in the facts, Aruba Networks may update
    this advisory.
    
    A stand-alone copy or paraphrase of the text of this security advisory
    that omits the distribution URL in the following section is an uncontrolled
    copy, and may lack important information or contain factual errors.
    
    
    DISTRIBUTION OF THIS ANNOUNCEMENT
    
    This advisory will be posted on Aruba's website at:
    http://www.arubanetworks.com/support/alerts/aid-10142014.txt
    
    
    Future updates of this advisory, if any, will be placed on Aruba's worldwide
    website, but may or may not be actively announced on mailing lists or
    newsgroups. Users concerned about this problem are encouraged to check the
    above URL for any updates.
    
    
    REVISION HISTORY
          Revision 1.0 / 10-14-2014 / Initial release
    
    
    ARUBA SIRT SECURITY PROCEDURES
    
    Complete information on reporting security vulnerabilities in Aruba Networks
    products, obtaining assistance with security incidents is available at
    
    http://www.arubanetworks.com/support-services/security-bulletins/
       
      
    For reporting *NEW* Aruba Networks security issues, email can be sent to
    sirt(at)arubanetworks.com. For sensitive information we encourage the use of 
    PGP encryption. Our public keys can be found at 
    
    http://www.arubanetworks.com/support-services/security-bulletins/
    
    
    (c) Copyright 2014 by Aruba Networks, Inc.
    This advisory may be redistributed freely after the release date given at
    the top of the text, provided that redistributed copies are complete and
    unmodified, including all date and version information.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.22 (MingW32)
    
    iQEcBAEBCAAGBQJUPb08AAoJEJj+CcpFhYbZx04H/jVbMW8WnCZdlY70bGWLOEMo
    UJjmk+HP4YgaHn25RqaEk/y24AQDq1ETrsYpRE/w3F0HyUmJbU/XR16ajB22hlT4
    BQnwv4b9o0Yy2PZos3V3dcwwlirSOPp8pCTS5Zw4pBPpWLlL+U8psqsrWt5YLlPa
    f9osP3grUxhpA7BJ+1HcN5pE906AkW7jEGLxTKyZMnD6M4AnfKwB7YEQHsXflkt5
    1GGHp0HKhg5tLSrCbD+XZN4bliFEK17DL68WZbOFJrzLTT2VVno8fi2jnA3stNvm
    B8tO0wI3HG1H1gEJNbcN4Z1N1KQG4/NYbE4++8yD7wBOW19enUlLasFuEoY5oUg=
    =wo6G
    -----END PGP SIGNATURE-----
    

     



  • 7.  RE: Security/vulnerability advisories

    Posted Oct 29, 2014 06:40 PM

    A new advisory has been posted at http://www.arubanetworks.com/support/alerts/aid-10282014.txt regarding multiple vulnerabilities in ClearPass.



  • 8.  RE: Security/vulnerability advisories

    Posted Nov 19, 2014 05:12 PM

    A new advisory has been posted at http://www.arubanetworks.com/support/alerts/aid-11192014.txt which covers two vulnerabilities - one in AirWave and one in ClearPass.



  • 9.  RE: Security/vulnerability advisories

    Posted Jan 27, 2015 08:03 PM

    A new advisory has been posted at http://www.arubanetworks.com/support/alerts/aruba-psa-2015-001.txt which covers a DoS vulnerability in Aruba Instant.



  • 10.  RE: Security/vulnerability advisories

    Posted Mar 18, 2015 06:41 PM

    A new security advisory has been posted at http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2015-004.txt

     



  • 11.  RE: Security/vulnerability advisories

    Posted Mar 26, 2015 05:47 PM

    A new advisory has been posted at http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2015-006.txt covering four vulnerabilities in ClearPass.  One of these has a severity level of "high".



  • 12.  RE: Security/vulnerability advisories

    Posted Mar 18, 2015 06:42 PM

    A new advisory has been posted covering four vulnerabilities in AirWave:

    http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2015-005.txt

     



  • 13.  RE: Security/vulnerability advisories

    Posted May 29, 2015 11:38 AM

    Hi everyone-

     

    For those interested in getting an RSS feed of security advisories from Aruba, that feature is now available:  http://www.arubanetworks.com/security-advisory/feed/

     

    -Jon



  • 14.  RE: Security/vulnerability advisories

    Posted Jul 15, 2015 07:06 AM

    http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2015-008.txt

     

    Note that a patch was made available for this yesterday afternoon.  Please update if you are running ClearPass 6.5.2.



  • 15.  RE: Security/vulnerability advisories

    Posted Aug 20, 2015 04:17 PM

    Please pay close attention if you are a ClearPass customer - some of these are critical.

     

    http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2015-009.txt

     



  • 16.  RE: Security/vulnerability advisories

    Posted Feb 18, 2016 06:38 PM

    Please be advised that a preliminary advisory has been posted for this at http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2016-001-glibc.txt  

     

    The advisory will be updated as new information becomes available.  The software releases mentioned in the advisory are not released yet - we'll be working on getting those out as soon as practical.



  • 17.  RE: Security/vulnerability advisories

    Posted Apr 23, 2016 09:19 AM

    A new security advisory has been posted at http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2016-003-samba.txt

     

    This advisory affects all versions of ClearPass Policy Manager.  A hotfix has been posted on support.arubanetworks.com.

     

    Apologies for posting this on a Saturday - we have been trying to get this fix out as soon as possible.

     



  • 18.  RE: Security/vulnerability advisories

    Posted May 05, 2016 07:46 AM
      |   view attached

    Three new security advisories were posted yesterday.  The most significant relates to Aruba Instant.  Another is for AirWave.  The third is for ArubaOS. 

     

    http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2016-004.txt

    http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2016-005.txt

    http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2016-006.txt

     

    The attached PDF file also accompanies these advisories.

     

    Please start threads on the forum here if you have questions, and we'll do our best to help.

    Attachment(s)



  • 19.  RE: Security/vulnerability advisories

    Posted May 13, 2016 12:47 PM

    Two new security advisories have been posted, one for ArubaOS (http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2016-007.txt) and one for ClearPass (http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2016-008.txt).



  • 20.  RE: Security/vulnerability advisories

    Posted Jan 18, 2017 03:17 PM

    A new security advisory has been posted regarding two vulnerabilities in AirWave.  Please see details at http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-001.txt .

     



  • 21.  RE: Security/vulnerability advisories

    Posted Mar 10, 2017 07:27 PM

    A new advisory has been posted for this vulnerability.  Please see http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-002.txt


    Apologies for putting this out on a weekend, but it's all over the technology news and we've been getting questions all day.  It took a while to figure out which products were and weren't affected.



  • 22.  RE: Security/vulnerability advisories