Controllerless Networks

Hello.
I installed a new set of Aruba 105's at a remote office running Corporate access with Radius Auth and Guest access with password Auth, both on separate non-routed vlans. The Version is 6.2.0.0-3.2.0.4_38110.

We also have the identical setup at our main office running Version 6.1.3.4-3.1.0.1_35899.

A pen tester found that if you authenticate to the remote office guest wireless, then revisit the url a few times (https://securelogin.arubanetworks.com/swarm.cgi?opcode=cp_generate&orig_url=687474703a2f2f736c617368646f742e6f72672f).
The config, including Admin user/password and Radius password are displayed in plain text.

Then - very scary, if you go to the URL https://securelogin.arubanetworks.com/#home (dispite being on a separarte vlan) you get the contoller home page, which you can log in to with the previously found admin user/pass.

This was mitigated by simply going to Settings>General>Deny inter user bridging - Enable and Deny local routing - Enable.

At our main office (Version 6.1.3.4-3.1.0.1_35899) these settings are Disabled, but I am unable to replicate the issue here. So it must be a vulnerability with 6.2.0.0-3.2.0.4_38110.

Has anyone come across this vulnerability before and know if it is fixed in later versions?

Thanks

You are running very old code.  Please upgrade to the latest, which has the fix.

 

Its not that old, the 105's were purchased a few months ago and shipped with this version. We are running a much older version without this vulnerability. Do you know if this vulnerability is documented anywhere?

 

Julian

It always be good to go with latest version. You may try the latest and do share here if problem remain the same.