-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Aruba Networks Security Advisory Title: Aruba Mobility Controller TACACS User Authentication and Cross Site Scripting Vulnerabilities Aruba Advisory ID: AID-051408 Revision: 1.0 For Public Release on 05/14/2008 +---------------------------------------------------- 1.) TITLE: Mobility Controller TACACS User Authentication Vulnerability SUMMARY A user authentication vulnerability was discovered during standard bug reporting procedures in the Aruba Mobility Controller. This vulnerability only affects customers using TACACS authentication for Controller management users. AFFECTED ArubaOS VERSIONS 3.1.x, 3.2.x, and 3.3.x DETAILS Aruba Mobility Controllers may use external authentication methods to authenticate management users. A vulnerability in the TACACS authentication component may allow unauthorized web UI/ssh/telnet access to the Aruba Mobility Controller. TACACS is not the default authentication method and must be configured as an authentication method for users before it will be used. By default, user accounts and passwords are kept in a local database which is not vulnerable to this issue. Other authentication methods supported by the Aruba Mobility Controller are not vulnerable to this issue. IMPACT An attacker with web UI/ssh/telnet access to the Aruba Mobility Controller may be able to gain unauthorized access to the administration account of an Aruba Mobility Controller. CVSS BASE METRIC SCORE: 10 WORKAROUNDS Aruba Networks recommends that all customers apply the appropriate patch(es) as soon as practical. However, in the event that a patch cannot immediately be applied, the following steps will help to mitigate the risk: - - - Disable TACACS authentication for all accounts until such time as the patches can be applied. - - - Do not expose the Mobility Controller administrative interface to untrusted networks such as the Internet. SOLUTION Aruba Networks recommends that all customers apply the appropriate patch(es) as soon as practical. However, in the event that a patch cannot immediately be applied, the workaround steps will help to mitigate the risk. +---------------------------------------------------- 2.) TITLE: Mobility Controller Web UI Cross Site Scripting Vulnerabilities SUMMARY Cross-site scripting vulnerabilities were discovered during standard bug reporting procedures in the Aruba Mobility Controller. Certain malformed inputs to the web UI allow the injection of cross-site scripting (XSS) components, leading to a potential compromise of client web session integrity. AFFECTED ArubaOS VERSIONS 2.4.8.x-FIPS, 2.5.5.x, 2.5.6.x, 3.1.1.x, 3.2.0.x, 3.3.1.x DETAILS Aruba Mobility Controllers may present a web-based management and captive portal interface. Providing malformed input to the web UI may result in the presentation of that input to the user. Malicious XSS injection via the web UI may not require action to be taken by the victim. IMPACT An attacker with web UI access to the Aruba Mobility Controller may be able to compromise the integrity of a client web session or subvert the authentication exchange content to retrieve administrator authentication credentials to the Aruba Mobility Controller. CVSS BASE METRIC SCORE: 10 WORKAROUNDS Aruba Networks recommends that all customers apply the appropriate patch(es) as soon as practical. However, in the event that a patch cannot immediately be applied, the following steps will help to mitigate the risk: - - - Do not expose the Mobility Controller administrative interface to untrusted networks such as the Internet. SOLUTION Aruba Networks recommends that all customers apply the appropriate patch(es) as soon as practical. However, in the event that a patch cannot immediately be applied, the workaround steps will help to mitigate the risk. +---------------------------------------------------- OBTAINING FIXED FIRMWARES Aruba customers can obtain the firmware on the support website: http://www.arubanetworks.com/support. Aruba Support contacts are as follows: 1-800-WiFiLAN (1-800-943-4526) (toll free from within North America) +1-408-754-1200 (toll call from anywhere in the world) e-mail: support(at)arubanetworks.com Please, do not contact either "wsirt(at)arubanetworks.com" or "security(at)arubanetworks.com" for software upgrades. EXPLOITATION AND PUBLIC ANNOUNCEMENTS This vulnerability will be announced at Aruba W.S.I.R.T. Advisory: http://www.arubanetworks.com/support/wsirt/alerts/aid-051408.asc SecurityFocus Bugtraq http://www.securityfocus.com/archive/1 STATUS OF THIS NOTICE: Final Although Aruba Networks cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Aruba Networks does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Aruba Networks may update this advisory. A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. DISTRIBUTION OF THIS ANNOUNCEMENT This advisory will be posted on Aruba's website at: http://www.arubanetworks.com/support/alerts/aid-051408.asc Future updates of this advisory, if any, will be placed on Aruba's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. REVISION HISTORY Revision 1.0 / 05-14-2008 / Initial release ARUBA WSIRT SECURITY PROCEDURES Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at http://www.arubanetworks.com/support/wsirt.php For reporting *NEW* Aruba Networks security issues, email can be sent to wsirt(at)arubanetworks.com or security(at)arubanetworks.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at http://www.arubanetworks.com/support/wsirt.php (c) Copyright 2008 by Aruba Networks, Inc. This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIK4mop6KijA4qefURAmm4AKDXdJ1eqIqHpWvXxuKb3B/iseoZsACg9fat 4lt+0tdZN9ciB7oRYTyt8rQ= =/pUB -----END PGP SIGNATURE-----