[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4F677EE2.2040204@arubanetworks.com>
Date: Mon, 19 Mar 2012 11:45:54 -0700
From: RGill <rgill@...banetworks.com>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: Aruba Networks multiple advisories: OS command injection in RAP web
interface and 802.1X EAP-TLS user authentication bypass
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ADVISORY NUMBER 031912
Advisory # 1:
TITLE
OS Command Injection Vulnerability in Aruba Remote Access Point
Diagnostic Web Interface.
SUMMARY
An OS command injection vulnerability has been discovered in the Aruba
Remote Access Point's Diagnostic Web Interface. When running the
diagnostic web interface, arbitrary system commands can be executed as
the root user on the Remote device by an unauthenticated
attacker.
AFFECTED ArubaOS VERSIONS
5.0.x.x, 6.0.x.x, 6.1.x.x
DETAILS
The Remote Access Point provides a web interface to facilitate initial
provisioning of the device. This web interface provides functionality
to run some basic network diagnostics and enter configuration parameters
necessary for successful provisioning. An OS command injection
vulnerability has been discovered in this web interface where malicious
user input can be injected via form elements and run arbitrary system
commands on the device as root user. This diagnostic web interface can
be disabled after initial provisioning of the device.
IMPACT
An unauthenticated attacker can run arbitrary system commands on the
device as root user. This could lead to a full compromise of the device's
operating system.
This vulnerability applies only to the Aruba Remote Access Point and other
Aruba devices are not affected.
CVSS v2 BASE METRIC SCORE: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
WORKAROUNDS
Aruba Networks recommends not allowing access to the Aruba Remote Access
Point's diagnostic web interface after initial provisioning by applying an
access list (acl) to block HTTP and HTTPS protocol to its local IP. This
restricted acl needs to be in the highest position of the acl rules for
each user-role that should not have access to the diagnostic web
interface.
Example restricted IP access list added to a user-role called guest:
ip access-list session local_debug_restricted
user localip svc-http deny
user localip svc-https deny
user-role guest
access-list session local_debug_restricted
access-list session dns-acl
access-list session dhcp-acl
access-list session icmp-acl
access-list session http-acl
access-list session https-acl
SOLUTION
Aruba Networks recommends that all customers apply the appropriate
patch(es) as soon as practical.
The following patches have the fix (any newer patch will also have the
fix):
- - - ArubaOS 5.0.4.2
- - - ArubaOS 6.0.2.1
- - - ArubaOS 6.1.2.4
CREDITS
This vulnerability was discovered and reported by Greg Ose of CME GROUP.
+----------------------------------------------------
Advisory # 2:
TITLE
802.1X User Authentication Bypass Vulnerability when EAP-TLS 802.1X local
termination is enabled on WLAN.
SUMMARY
An EAP-TLS 802.1X user authentication bypass vulnerability was discovered
during standard internal bug reporting procedures in the Aruba Mobility
Controller. This vulnerability only affects customers with EAP-TLS 802.1X
local termination enabled.
AFFECTED ArubaOS VERSIONS
6.1.x.x
DETAILS
Aruba Mobility Controllers allow for local termination of EAP-TLS 802.1X
authentication of wireless users accessing the network. Local 802.1X
termination allows rapid deployment of WLAN without requiring an external
authentication server capable of EAP-TLS authentication. A vulnerability
in the EAP-TLS 802.1X termination component in the Mobility Controller may
allow unauthorized network access to some users.
EAP-TLS 802.1X termination is not the default setup and must be configured
manually for before it will be used. Wireless and wired users
authenticating
to an external authentication server are NOT vulnerable. Other WLANs and
other wired ports on the same Mobility Controller that do not use local
termination of 802.1X EAP-TLS are NOT affected by this vulnerability.
IMPACT
An EAP-TLS 802.1X user may be able to gain unauthorized access to a WLAN
or a wired port configured with local 802.1X termination of EAP-TLS
authentications on the Aruba Mobility Controller.
CVSS v2 BASE METRIC SCORE: 6.1 (AV:A/AC:L/AU:N/C:C/I:N/A:N)
HOW TO IDENTIFY IF YOU ARE VULNERABLE
If the following lines exist in your configuration for a particular aaa
profile and that profile is assigned to an active virtual ap or wired
port,
then you are vulnerable.
aaa authentication dot1x <profile name>
termination enable
termination eap-type eap-tls
...
...
!
WORKAROUNDS
Aruba Networks recommends that all customers apply the appropriate
patch(es) as soon as practical. However, in the event that a patch cannot
immediately be applied, the following steps will help to mitigate the
risk:
- - - Disable EAP-TLS 802.1X local termination for wireless and wired users
until such time as the patches can be applied and switch to using an
external EAP-TLS server for authenticating wireless users. If local 802.1X
termination cannot be disabled, switch to using another EAP method to
authenticate wireless and wired users.
SOLUTION
Aruba Networks recommends that all customers apply the appropriate
patch(es) as soon as practical.
The following patches have the fix (any newer patch will also have the
fix):
- - - ArubaOS 6.1.2.6
+----------------------------------------------------
OBTAINING FIXED FIRMWARE
Aruba customers can obtain the firmware on the support website:
http://www.arubanetworks.com/support
Aruba Support contacts are as follows:
1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)
+1-408-754-1200 (toll call from anywhere in the world)
The full contact list is at:
http://www.arubanetworks.com/support-services/aruba-support-program/contact-support/
e-mail: support(at)arubanetworks.com
Please, do not contact either "wsirt(at)arubanetworks.com" or
"security(at)arubanetworks.com"
for software upgrades.
EXPLOITATION AND PUBLIC ANNOUNCEMENTS
This vulnerability will be announced at
Aruba W.S.I.R.T. Advisory:
http://www.arubanetworks.com/support/alerts/aid-031912.asc
SecurityFocus Bugtraq
http://www.securityfocus.com/archive/1
STATUS OF THIS NOTICE: Final
Although Aruba Networks cannot guarantee the accuracy of all statements
in this advisory, all of the facts have been checked to the best of our
ability. Aruba Networks does not anticipate issuing updated versions of
this advisory unless there is some material change in the facts. Should
there be a significant change in the facts, Aruba Networks may update this
advisory.
A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an
uncontrolled
copy, and may lack important information or contain factual errors.
DISTRIBUTION OF THIS ANNOUNCEMENT
This advisory will be posted on Aruba's website at:
http://www.arubanetworks.com/support/alerts/aid-031912.asc
Future updates of this advisory, if any, will be placed on Aruba's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged to
check the above URL for any updates.
REVISION HISTORY
Revision 1.0 / 03-19-2012 / Initial release
ARUBA WSIRT SECURITY PROCEDURES
Complete information on reporting security vulnerabilities in Aruba
Networks products, obtaining assistance with security incidents is
available at
http://www.arubanetworks.com/support-services/security-bulletins/
For reporting *NEW* Aruba Networks security issues, email can be sent to
wsirt(at)arubanetworks.com or security(at)arubanetworks.com. For sensitive
information we encourage the use of PGP encryption. Our public keys can be
found at
http://www.arubanetworks.com/support-services/security-bulletins/
(c) Copyright 2012 by Aruba Networks, Inc.
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk9nfuIACgkQp6KijA4qefUVJQCeMjTtvzemPQG1lw/nPMjKsS3b
5dMAn1pzhgWy52dM7MiuMriVrarpAX/J
=VDs4
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists