-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Aruba Wireless Networks Security Advisory Title: Aruba Mobility Controller Guest User Privilege Escalation Aruba Advisory ID: AID-021307 Revision: 1.0 For Public Release on 02/13/2007 References: US-CERT Advisory VU#613833 +--------------------------------------------------------------------- SUMMARY A privilege escalation vulnerability was discovered during an external security audit of the Aruba Mobility Controller. This vulnerability affects customers using all versions of the Aruba Controller beginning with version 2.3. Knowledge of this internal account may permit unauthorized access to the wireless LAN via the captive portal or VPN interfaces, as well as access to administrative functions of the Mobility Controller through the CLI and web UI and login interfaces. PRODUCTS AND FIRMWARE VERSIONS AFFECTED Hardware: All Aruba Networks Mobility Controllers (200, 800, 2400, and 6000) running software versions greater than 2.0. Alcatel-Lucent OmniAccess Wireless 43xx and 6000 running software versions 2.0 and later. DETAILS Aruba Controllers support an internal guest role which is intended to be applied to users of a special "guest" account providing captive portal access to the wireless LAN (WLAN). Due to an implementation error, an adversary with knowledge of this internal account may gain unauthorized access to either the WLAN or the administrative interfaces of the Mobility Controller system. IMPACT If the Mobility Controller provides captive portal access to the WLAN with no additional security measures (for example, WPA-PSK), then an informed adversary may gain unauthorized access to the WLAN. If VPN client authentication is used to enforce WLAN access control, and the adversary is in possession of the group key for the VPN, then unauthorized WLAN access (via the VPN) may also be possible. An adversary with access to the management interfaces of the Mobility Controller (i.e. CLI and/or web UI) may gain unauthorized access to the administrative functions of the system. WORKAROUNDS See Solution below. SOLUTION Aruba Networks recommends that all customers apply the appropriate patch(es) as soon as practicable. However, in the event that the patch cannot be immediately applied, the following steps will help to mitigate the risk: - do not allow unrestricted access to the management interfaces of the system (i.e. the CLI and/or the web UI). If these interfaces are accessible via the network, disable that access until you are able to apply the patch - ensure physical security for the management interfaces of the system; do not allow CLI access via telnet or ssh, and restrict access to the system console. - for VPN access, require MSCHAPv2 rather than PAP for user authentication - disable captive portal access OBTAINING FIXED FIRMWARES Aruba customers can obtain the firmware on the support website: http://www.arubanetworks.com/support. Aruba Support contacts are as follows: 1-800-WiFiLAN (1-800-943-4526) (toll free from within North America) +1-408-754-1200 (toll call from anywhere in the world) e-mail: support(at)arubanetworks.com Please, do not contact either "wsirt(at)arubanetworks.com" or "security(at)arubanetworks.com" for software upgrades. EXPLOITATION AND PUBLIC ANNOUNCEMENTS This vulnerability will be announced at Aruba W.S.I.R.T. Advisory: http://www.arubanetworks.com/support/wsirt/alerts/aid-021307.asc US-CERT Advisory: http://www.kb.cert.org/vuls/id/613833 Security Focus Bugtraq: http://www.securityfocus.com/archive/1/459927/30/0/threaded CREDIT Aruba Networks thanks Maxim Salomon and Jan Meunther of n.runs AG for reporting this issue to the Aruba WSIRT team. STATUS OF THIS NOTICE: Final Although Aruba Wireless networks cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Aruba Wireless Networks does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Aruba Wireless Networks may update this advisory. A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. DISTRIBUTION OF THIS ANNOUCEMENT This advisory will be posted on Aruba's website at http://www.arubanetworks.com/support/wsirt/alerts/aid-021307.asc Future updates of this advisory, if any, will be placed on Aruba's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. REVISION HISTORY Revision 1.0 / 02-13-2007 / Initial release Revision 1.1 / 08-02-2007 / Added credit section ARUBA WSIRT SECURITY PROCEDURES Complete information on reporting security vulnerabilities in Aruba Wireless Networks products, obtaining assistance with security incidents is available at http://www.arubanetworks.com/support/wsirt.php For reporting *NEW* Aruba Wireless Networks security issues, email can be sent to wsirt(at)arubanetworks.com or security(at)arubanetworks.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at http://www.arubanetworks.com/support/wsirt.php (c) Copyright 2007 by Aruba Wireless Networks, Inc. This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGsqEqp6KijA4qefURAp7tAKCyf/vYQlx4oe0bkj+tyMq6RyT0ZgCgv+og n9yiq0QMUyHL0k1XvYVDVZ0= =LBz5 -----END PGP SIGNATURE-----