-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Aruba Networks Security Advisory

Title: Management User Authentication Bypass Vulnerability When Using Public Key Based SSH Authentication. 

Aruba Advisory ID: AID-42309
Revision: 1.0

For Public Release on 4/23/2009

+----------------------------------------------------

SUMMARY

A management user authentication bypass vulnerability was discovered during standard internal bug reporting procedures in 

the Aruba Mobility Controller. This vulnerability only affects customers using public key based SSH authentication for 

controller management users. 


AFFECTED ArubaOS VERSIONS

 3.3.1.x, 3.3.2.x, RN 1.0, RN 2.0


DETAILS

Aruba Mobility Controllers allow public key authentication of users accessing the controller using SSH. A vulnerability in 

the key based SSH authentication component may allow unauthorized SSH access to the Aruba Mobility Controller. Key based 

SSH authentication is not the default SSH authentication method and must be configured as an authentication method for 

users before it will be used. By default SSH authentication uses username-password scheme for authenticating management 

users, which is not vulnerable to this issue. Other authentication methods supported by the Aruba Mobility Controller are 

also not vulnerable to this issue.


IMPACT

An attacker with SSH access to the Aruba Mobility Controller may be able to gain unauthorized access to the management 

account of an Aruba Mobility Controller.


CVSS v2 BASE METRIC SCORE: 5.8 (AV:N/AC:M/AU:N/C:P/I:P/A:N) 


WORKAROUNDS

Aruba Networks recommends that all customers apply the appropriate patch(es) as soon as practical.  However, in the event 

that a patch cannot immediately be applied, the following steps will help to mitigate the risk:

- - Disable public key based SSH authentication for management accounts until such time as the patches can be applied and 

switch to using username-password based authentication scheme. 

- - Do not expose the Mobility Controller administrative interface to untrusted networks such as the Internet.



SOLUTION

Aruba Networks recommends that all customers apply the appropriate patch(es) as soon as practical.  However, in the event 

that a patch cannot immediately be applied, the workaround steps will help to mitigate the risk.

The following patches have the fix (any newer patch will also have the fix):

- - 3.3.1.24
- - 3.3.2.11
- - 3.3.2.8-rn-2.1_20469

Please note We highly recommend that you upgrade your Mobility Controller to the latest available patch on the Aruba 

support site corresponding to your currently installed release. 


+----------------------------------------------------

OBTAINING FIXED FIRMWARE

Aruba customers can obtain the firmware on the support website: 
	http://www.arubanetworks.com/support. 
   
Aruba Support contacts are as follows:

	1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)

	+1-408-754-1200 (toll call from anywhere in the world)

	e-mail: support(at)arubanetworks.com

Please, do not contact either "wsirt(at)arubanetworks.com" or 
"security(at)arubanetworks.com" for software upgrades.


EXPLOITATION AND PUBLIC ANNOUNCEMENTS

This vulnerability will be announced at 

Aruba W.S.I.R.T. Advisory:
http://www.arubanetworks.com/support/alerts/aid-42309.asc

SecurityFocus Bugtraq
http://www.securityfocus.com/archive/1


STATUS OF THIS NOTICE: Final

Although Aruba Networks cannot guarantee the accuracy of all statements
in this advisory, all of the facts have been checked to the best of our
ability. Aruba Networks does not anticipate issuing updated versions of
this advisory unless there is some material change in the facts. Should
there be a significant change in the facts, Aruba Networks may update
this advisory.

A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an uncontrolled
copy, and may lack important information or contain factual errors.


DISTRIBUTION OF THIS ANNOUNCEMENT

This advisory will be posted on Aruba's website at:
http://www.arubanetworks.com/support/alerts/aid-3?09.asc


Future updates of this advisory, if any, will be placed on Aruba's worldwide
website, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
above URL for any updates.


REVISION HISTORY

      Revision 1.0 / 04-23-2009 / Initial release


ARUBA WSIRT SECURITY PROCEDURES

Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at
      http://www.arubanetworks.com/support/wsirt.php
   
  
For reporting *NEW* Aruba Networks security issues, email can be sent to
wsirt(at)arubanetworks.com or security(at)arubanetworks.com. For sensitive
information we encourage the use of PGP encryption. Our public keys can be
found at 
	http://www.arubanetworks.com/support/wsirt.php


      (c) Copyright 2009 by Aruba Networks, Inc.
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFJ8WmKp6KijA4qefURAv8VAKDGhnKRkTEYetGuEG+HD4AIZGrivgCfb5/o
8f77u16q5Ra3Du0Uhe/thgQ=
=6Vq6
-----END PGP SIGNATURE-----