Wireless Access

We are running ArubaOS 6.1.3.10 on Aruba650 controller, does this OS get affected by Heartbleed bug in OpenSSL

According to the security bulletin, ArubaOS 6.1 is not affected as is does not use the vulnerable SSL libraries.

http://www.arubanetworks.com/support/alerts/aid-040814.asc

AFFECTED VERSIONS

- - � ArubaOS 6.3.x, 6.4.x 
- - � ClearPass 6.1.x, 6.2.x, 6.3.x

Previous versions of these products used an earlier version of OpenSSL 
that is not vulnerable.

Thanks hrobers.

Is there any way to get this library version from ArubaOS command line? (or GUI)

I could not find how to get the library version.

However, you can test if an appliance has heartbeat enabled with an openssl client (I use Ubuntu 12.04 for the tests below). Use OpenSSL with the following commandline options, and enter the command  B  when connected:

# openssl s_client -connect 172.30.0.30:443 -tlsextdebug -debug -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
......
    Verify return code: 19 (self signed certificate in certificate chain)
---
B    <<<<<<< ENTER THE B HERE, IT WILL INITIATE A HEARTBEAT
HEARTBEATING
write to 0x22f01d0 [0x22fa213] (85 bytes => 85 (0x55))
0000 - 18 03 02 00 50 47 82 3b-d6 c5 f0 f9 13 3a 77 5a   ....PG.;.....:wZ
0010 - 9c 37 f1 04 4e 06 12 d8-fb 1a 00 b1 19 92 3e c2   .7..N.........>.
0020 - 21 57 4d da 62 70 cf 28-26 06 18 89 9c 2d f3 86   !WM.bp.(&....-..
0030 - 5e a9 16 1d 41 7e f5 ea-77 d1 0e 2e f3 5a 38 10   ^...A~..w....Z8.
0040 - 75 e1 1e ef 18 fc f6 d1-1c ec 8a 43 e3 3d a6 66   u..........C.=.f
0050 - a0 42 c5 17 5f                                    .B.._
read from 0x22f01d0 [0x22f5cc3] (5 bytes => 5 (0x5))
0000 - 18 03 02 00 50                                    ....P
read from 0x22f01d0 [0x22f5cc8] (80 bytes => 80 (0x50))
0000 - e0 55 6b e4 5b 3f 14 9d-34 9d c0 13 0f 59 ee e1   .Uk.[?..4....Y..
0010 - f8 24 db 01 2d 33 01 f5-10 b5 13 e6 9d a0 ba 63   .$..-3.........c
0020 - 48 07 d0 1e be 1e 64 f7-38 eb 3a a7 a1 f6 62 ee   H.....d.8.:...b.
0030 - 08 15 1f 45 7f a5 08 9f-0e 5e 54 f4 0b cf 98 56   ...E.....^T....V
0040 - e7 71 2c 0a ff 86 89 b1-d1 9e c9 c4 0a ba 53 22   .q,...........S"
read R BLOCK

This one IS vulnerable.

The following is NOT (peer does not accept heartbeats):

% openssl s_client -connect 192.168.31.1:443 -tlsextdebug -debug -state
....

    Verify return code: 19 (self signed certificate in certificate chain)
---
B
HEARTBEATING
140691834463904:error:1413B16D:SSL routines:SSL_F_TLS1_HEARTBEAT:peer does not accept heartbearts:t1_lib.c:2521:
write to 0x12e21d0 [0x12ec213] (37 bytes => 37 (0x25))
0000 - 15 03 02 00 20 1b 94 8f-82 3f 40 6c 4d 2b 11 b6   .... ....?@lM+..
0010 - 9a 62 6f f7 2a 90 a5 b2-2e 67 1e a0 6d f5 03 75   .bo.*....g..m..u
0020 - 66 a4 a3 8f e5                                    f....
SSL3 alert write:warning:close notify

Herman

Appreciate it..