Higher Education

All of our v6.4.0.2 controllers are reporting to be vulnerable to the zeroday OpenSSL bug.

 

Is there any timeline for updates/patches to close the hole.

 

We ACL block outside access to the controllers, but are limited to how much

we can scope inside access.

No new information, but there is already a post.

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Heartbleed-CVE-2014-0160-Problem/m-p/154248

Thanks.. I searched for OpenSSL but didn't turn up anything, should have been searching for heartbleed :/

Everyone -

 

I'm the security product manager at Aruba.  Please note that this is not a formal communication, we will be posting a formal communication on our website according to our security policy shortly.  That update will be posted here - http://www.arubanetworks.com/support-services/security-bulletins/

 

We are still assessing our exposure to this vulnerability, but it clearly impacts AOS 6.3.x and AOS 6.4.x.  We are working on updates to these as I type this, with the intention of publishing them as soon as we can finish and complete testing.

 

Until then, reducing access to the web GUI via control plane ACLs makes sense.  Other steps to limit exposure will be published as they are identified, and included in the security bulletin.

 

We are doing a careful analysis of the impact - the problem with this attack is that it gives the attacker access to some parts of the memory of the attacked system.  The advice on the internet to change all private keys is based on the fear that the key could be in this segment of memory.  We're validating whether or not this is the case, but you will have to decide your organization's tolerance to this particular risk.

 

Thanks for your understanding, and we'll keep you informed.

Are the IAP products affected?

No, IAP is not affected.  Only the following:

 

• ArubaOS 6.3.x, 6.4.x
• ClearPass 6.1.x, 6.2.x, 6.3.x

 

See http://www.arubanetworks.com/support/alerts/aid-040814.asc for details.

got an email today from the security team and they will be issuing new patches within the next couple of days to address the vulnerability.

Images have been posted on the support site.

I don't see an update for ClearPass..

Ooops.  Sorry.  I was refering to AOS.  ClearPass should be up soon.

ClearPass patches should not be visible from the Software Updates screen within the UI.  Please note the following conditions for CPPM 6.1, 6.2, and 6.3.

 

• ClearPass 6.1 - patch can be applied to all minor versions (6.1.1, 6.1.2, 6.1.3 and 6.1.4). 
• ClearPass 6.2 - patch can only be applied to 6.2.6 cumulative patch
• ClearPass 6.3 - patch can only be applied to 6.3.1 cumulative patch

For details on the version restrictions; see the attached document.

My ClearPass server showed an an update fix for the OpenTLS problem. It downloaded and installed all easy peasy like. Also, reading the release notes for ArubaOS 6.3.1.5. which was updated last night it looks like the fix is in place there too. I'll be upgrading tonight.

I have had a request for new certificates to be installed on devices. Is this because certificates may have been generated on vulnerable systems? I'm not sure whether to recommend to customers that they should get new certificates.

The private key is sometimes exposed during heartbleed memory grab exploits, so Certs should be regenerated for best security practices, along with password changes.

So, would I be correct in assuming that generating a new CSR also changes the private key?

 

Otherwise regenerating a certificate would do nothing.

Yes, you are correct.

 

Mike

So if the controller is using the default certificate for captive portal and webui, I assume that the new version will replace those certificates?

No, the default certificate that is used for captive portal, etc, is built into the software image and is not protected in any way. Every controller ships with the exact same certificate, and it has been "in the wild" for many years.  It was not updated as part of the OpenSSL patch.

 

Because of this, we have always advised customers to purchase certs or generate their own.  You can get certs for as little as $10 online.  I got mine from ssls.com, you can get them from your Microsoft CA if you have one, generate them using opensource tools if you are resouceful.

 

 

 

 

I can see the link to the new images, but when I try to download them I get access denied.

 

Thanks.

I was able to download what I needed. I checked the image against the
sha256 hash and they were correct.

Apparently it is just a problem for me in Firefox.  Tried it again in Chrome and it lets me download it.  Strange.