Re: Heartbleed - CVE-2014-0160 Problem

Everyone -


I'm the security product manager at Aruba.  Please note that this is not a formal communication, we will be posting a formal communication on our website according to our security policy shortly.  That update will be posted here -


We are still assessing our exposure to this vulnerability, but it clearly impacts AOS 6.3.x and AOS 6.4.x.  We are working on updates to these as I type this, with the intention of publishing them as soon as we can finish and complete testing.


Until then, reducing access to the web GUI via control plane ACLs makes sense.  Other steps to limit exposure will be published as they are identified, and included in the security bulletin.


We are doing a careful analysis of the impact - the problem with this attack is that it gives the attacker access to some parts of the memory of the attacked system.  The advice on the internet to change all private keys is based on the fear that the key could be in this segment of memory.  We're validating whether or not this is the case, but you will have to decide your organization's tolerance to this particular risk.


Thanks for your understanding, and we'll keep you informed.


Frequent Contributor II

Re: Heartbleed - CVE-2014-0160 Problem

We have also done a POC where we were able to get the session-id from a logged-in Web-GUI user and then use that session-id to get access to the management console of the controller.


This is quite serious, limiting exposure of the controller's webserver is key here.

ACMX#255 | ACDX#742 | ACCX#746 | AMFX#25 | ACMP | ACCP | AWMP

Re: Heartbleed - CVE-2014-0160 Problem

Which version had this behaviour?  This is completely different than the curren SSL vunlerability and it is something we've done several patches to fix.

Contributor I

Re: Heartbleed - CVE-2014-0160 Problem

Thanks for the info. I would like to remind the need for the "Management ACL" infrastructure for easy management. If we had such a function in ArubaOS;




will suffice to protect the controller.


Thanks again.


Frequent Contributor II

Re: Heartbleed - CVE-2014-0160 Problem

This is at ArubaOS Drop me an e-mail at arjan [at] securelink DOT nl if you want the output from


@ hdemir: you can use the control plane firewall for this. This is "firewall cp" in the CLI.

ACMX#255 | ACDX#742 | ACCX#746 | AMFX#25 | ACMP | ACCP | AWMP
Occasional Contributor II

Re: Heartbleed - CVE-2014-0160 Problem

i got this from aruba:



Hash: SHA1


Dear Aruba Networks Customer/Partner:


The purpose of this advisory is to address an important issue that affects Aruba Products that use the OpenSSL 1.0.1 Library.


Advisory Number 040814






OpenSSL 1.0.1 library (Heartbleed) vulnerability.





There is a very serious vulnerability that has been discovered in the OpenSSL 1.0.1 library. This vulnerability can allow an external attacker to extract segments of memory from a remote system without leaving any traces. This memory could contain vital security information, including private keys. These keys, in turn, could be used to mount a man-in-the-middle attack.





— ArubaOS 6.3.x, 6.4.x

— ClearPass 6.1.x, 6.2.x, 6.3.x


Previous versions of these products used an earlier version of OpenSSL

that is not vulnerable. No other Aruba products, including AirWave, Instant,

run these compromised versions of OpenSSL. Aruba Central, Aruba Network’s

cloud-based Wi-Fi offering, upgraded their web infrastructure to the latest,

safe, version of OpenSSL on April 7 after the attack was first published.





OpenSSL is a very widely used library, and this vulnerability is likely to

affect many systems and websites. Aruba Networks uses this library in

different products to secure communications between our infrastructure and

various clients. This bug is in OpenSSL's implementation of the TLS/DTLS

(transport layer security protocols) heartbeat extension (RFC6520).

When exploited it leads to the leak from the server to the client. 

In some cases it has been demonstrated that key material may be part of

this memory leak.





This vulnerability was announced through CVE-2014-0160.





OpenSSL is used in a variety of ways in Aruba products, including:

* HTTPS communications via the Administrative Web GUI

* HTTPS communications via Captive Portals

* Secure RADIUS communication

* Secure communication with some third party APIs


CVSS v2 Base Score:5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N)





As always, Aruba Networks recommends that best security practices are

followed, including reduction of possible attack surface areas by use

of access control methods such as network-level ACLs to restrict access.

However, given the ubiquitous use of OpenSSL, this may not completely

protect your infrastructure.





Aruba Networks will be publishing patch releases for the effected products

by EOB April 10, 2014. We recommend that all customers upgrade to these

versions immediately.




ClearPass 6.1.X

ClearPass 6.2.X

ClearPass 6.3.X


Given that there is a chance that key material may already

have been compromised, we are further advising customers to consider

replacing your certificates after the upgrade is completed.






Aruba customers can obtain the firmware on the support website:




Aruba Support contacts are as follows:


                1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)


                +1-408-754-1200 (toll call from anywhere in the world)


                The full contact list is at:



                e-mail: support(at)


Please, do not contact either "wsirt(at)" or

"security(at)" for software upgrades.





This vulnerability will be announced at


Aruba W.S.I.R.T. Advisory:





Although Aruba Networks cannot guarantee the accuracy of all statements

in this advisory, all of the facts have been checked to the best of our

ability. Aruba Networks does not anticipate issuing updated versions of

this advisory unless there is some material change in the facts. Should

there be a significant change in the facts, Aruba Networks may update

this advisory.


A stand-alone copy or paraphrase of the text of this security advisory

that omits the distribution URL in the following section is an uncontrolled

copy, and may lack important information or contain factual errors.





This advisory will be posted on Aruba's website at:



Future updates of this advisory, if any, will be placed on Aruba's worldwide

website, but may or may not be actively announced on mailing lists or

newsgroups. Users concerned about this problem are encouraged to check the

above URL for any updates.





      Revision 1.0 / 04-08-2014 / Initial release





Complete information on reporting security vulnerabilities in Aruba Networks

products, obtaining assistance with security incidents is available at



For reporting *NEW* Aruba Networks security issues, email can be sent to

wsirt(at) or security(at) For sensitive

information we encourage the use of PGP encryption. Our public keys can be

found at



(c) Copyright 2014 by Aruba Networks, Inc.

This advisory may be redistributed freely after the release date given at

the top of the text, provided that redistributed copies are complete and

unmodified, including all date and version information.



Version: GnuPG v2.0.20 (MingW32)







Contributor I

Re: Heartbleed - CVE-2014-0160 Problem

Thanks for the tip. We ask this for a long time from aruba and nobody tell about this feature. We will futher investigate how to use this "firewall cp".






Frequent Contributor II

Re: Heartbleed - CVE-2014-0160 Problem

Please note the control plane firewall was added in ArubaOS 6.3.

ACMX#255 | ACDX#742 | ACCX#746 | AMFX#25 | ACMP | ACCP | AWMP
Frequent Contributor I

Re: Heartbleed - CVE-2014-0160 Problem

Where in the Aruba Support Center -> Download software I need to go to download the pach?


The pach is a OS update?

Occasional Contributor II

Re: Heartbleed - CVE-2014-0160 Problem

Update is released...

it's in the support center...

Search Airheads
Showing results for 
Search instead for 
Did you mean: