| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 24 Apr 2009 10:19:23 -0700 From: Robbie Gill <rgill@...banetworks.com> To: bugtraq@...urityfocus.com Subject: Aruba Advisory ID: AID-42309 Management User Authentication Bypass Vulnerability When Using Public Key Based SSH Authentication -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Aruba Networks Security Advisory Title: Management User Authentication Bypass Vulnerability When Using Public Key Based SSH Authentication. Aruba Advisory ID: AID-42309 Revision: 1.0 For Public Release on 4/23/2009 +---------------------------------------------------- SUMMARY A management user authentication bypass vulnerability was discovered during standard internal bug reporting procedures in the Aruba Mobility Controller. This vulnerability only affects customers using public key based SSH authentication for controller management users. AFFECTED ArubaOS VERSIONS ~ 3.3.1.x, 3.3.2.x, RN 1.0, RN 2.0 DETAILS Aruba Mobility Controllers allow public key authentication of users accessing the controller using SSH. A vulnerability in the key based SSH authentication component may allow unauthorized SSH access to the Aruba Mobility Controller. Key based SSH authentication is not the default SSH authentication method and must be configured as an authentication method for users before it will be used. By default SSH authentication uses username-password scheme for authenticating management users, which is not vulnerable to this issue. Other authentication methods supported by the Aruba Mobility Controller are also not vulnerable to this issue. IMPACT An attacker with SSH access to the Aruba Mobility Controller may be able to gain unauthorized access to the management account of an Aruba Mobility Controller. CVSS v2 BASE METRIC SCORE: 5.8 (AV:N/AC:M/AU:N/C:P/I:P/A:N) WORKAROUNDS Aruba Networks recommends that all customers apply the appropriate patch(es) as soon as practical. However, in the event that a patch cannot immediately be applied, the following steps will help to mitigate the risk: - - - Disable public key based SSH authentication for management accounts until such time as the patches can be applied and switch to using username-password based authentication scheme. - - - Do not expose the Mobility Controller administrative interface to untrusted networks such as the Internet. SOLUTION Aruba Networks recommends that all customers apply the appropriate patch(es) as soon as practical. However, in the event that a patch cannot immediately be applied, the workaround steps will help to mitigate the risk. The following patches have the fix (any newer patch will also have the fix): - - - 3.3.1.24 - - - 3.3.2.11 - - - 3.3.2.8-rn-2.1_20469 Please note We highly recommend that you upgrade your Mobility Controller to the latest available patch on the Aruba support site corresponding to your currently installed release. +---------------------------------------------------- OBTAINING FIXED FIRMWARE Aruba customers can obtain the firmware on the support website: http://www.arubanetworks.com/support. Aruba Support contacts are as follows: 1-800-WiFiLAN (1-800-943-4526) (toll free from within North America) +1-408-754-1200 (toll call from anywhere in the world) e-mail: support(at)arubanetworks.com Please, do not contact either "wsirt(at)arubanetworks.com" or "security(at)arubanetworks.com" for software upgrades. EXPLOITATION AND PUBLIC ANNOUNCEMENTS This vulnerability will be announced at Aruba W.S.I.R.T. Advisory: http://www.arubanetworks.com/support/alerts/aid-42309.asc SecurityFocus Bugtraq http://www.securityfocus.com/archive/1 STATUS OF THIS NOTICE: Final Although Aruba Networks cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Aruba Networks does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Aruba Networks may update this advisory. A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. DISTRIBUTION OF THIS ANNOUNCEMENT This advisory will be posted on Aruba's website at: http://www.arubanetworks.com/support/alerts/aid-42309.asc Future updates of this advisory, if any, will be placed on Aruba's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. REVISION HISTORY ~ Revision 1.0 / 04-23-2009 / Initial release ARUBA WSIRT SECURITY PROCEDURES Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at http://www.arubanetworks.com/support/wsirt.php For reporting *NEW* Aruba Networks security issues, email can be sent to wsirt(at)arubanetworks.com or security(at)arubanetworks.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at http://www.arubanetworks.com/support/wsirt.php ~ (c) Copyright 2009 by Aruba Networks, Inc. This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJ8fSbp6KijA4qefURAmGVAJ9TnXOQH5rzVJvR2kF7WiAFX7fxRgCg+VlQ s6ynSCD4eryMuzVn2+fzEVM= =h1bZ -----END PGP SIGNATURE-----
Powered by blists - more mailing lists