-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ADVISORY NUMBER 070611 Advisory # 1: TITLE Cross Site Scripting vulnerability in ArubaOS and AirWave Administration Web Interfaces. SUMMARY A persistent Cross Site Scripting vulnerability (XSS) was discovered where an attacker could plant an AP with maliciously crafted SSID in the general vicinity of the wireless LAN and might be able to trigger a XSS vulnerability in the reporting sections of the ArubaOS and AirWave Administration WebUIs. AFFECTED VERSIONS - - ArubaOS 3.3.X, 3.4.X, 5.0.X, 6.0.X, 2.4.X-FIPS, 3.3.X-FIPS and 3.4.X-FIPS - - AirWave 7.2.X DETAILS ArubaOS and AirWave maintain information on all wireless network SSIDs and APs visible on the wireless network and the general vicinity. This information is used for security and reporting purposes. An attacker could plant an AP with maliciously crafted SSID and might trigger a XSS vulnerability in certain sections of the ArubaOS and AirWave Administration WebUIs related to reporting. This vulnerability would manifest when administrator would log in to the WebUI and browse to the reporting section. This vulnerability requires the administrator to be successfully logged in with valid credentials. However the malicious AP does not have to be beaconing the SSID continuously as the SSID information is stored in the controller for sometime for reporting purposes after it is first observed. IMPACT An attacker could plant an AP with maliciously crafted SSID in the general vicinity of the wireless LAN and might trigger a XSS vulnerability in reporting section of the ArubaOS and AirWave WebUIs. This vulnerability could potentially be used to execute commands on the controller with admin credentials. NOTE: This vulnerability manifests when the administrator is successfully logged in with valid credentials and browses to the affected reporting sections of the ArubaOS and AirWave WebUIs. CVSS v2 BASE METRIC SCORE: 4.8 (AV:A/AC:L/AU:N/C:P/I:P/A:N) WORKAROUNDS Aruba Networks recommends that all customers apply the appropriate patch(es) as soon as practical. SOLUTION Aruba Networks recommends that all customers apply the appropriate patch(es) as soon as practical. The following patches have the fix (any newer patch will also have the fix): - - ArubaOS 3.3.3.10 - - ArubaOS 3.4.4.2 - - ArubaOS 5.0.3.2 - - ArubaOS 6.0.1.1 - - ArubaOS 2.4.8.27-FIPS - - ArubaOS 3.3.2.21-FIPS - - ArubaOS 3.4.4.0-FIPS - - AirWave 7.2.2 The FIPS releases noted above are currently undergoing FIPS certification and are available from Aruba on request. Please note: We highly recommend that you upgrade your Mobility Controller to the latest available patch on the Aruba support site corresponding to your currently installed release. +---------------------------------------------------- Advisory # 2: TITLE HTTP Response splitting vulnerability in ArubaOS Captive Portal Web Interface SUMMARY A HTTP Response splitting vulnerability was discovered in ArubaOS's Captive Portal Web Interface where an attacker might be able to force authenticated captive portal users to bypass the custom welcome page post authentication and redirect them to a site of attacker's choice. AFFECTED VERSIONS - - ArubaOS 3.3.X, 3.4.X, 5.0.X, 6.0.X, 2.4.X-FIPS, 3.3.X-FIPS and 3.4.X-FIPS DETAILS ArubaOS allows for authenticated captive portal users to be redirected to a custom welcome web page post authentication. A HTTP Response splitting vulnerability was discovered that could be exploited by an attacker to force authenticated captive portal users to completely bypass the custom welcome page and be redirected to a website of attacker's choice. Attacker might achieve this by sending a maliciously crafted URL to the user in an email. When user clicks on the link and authenticates successfully to the captive portal, he/she might be redirected to a site of attacker's choice rather than the captive portal's custom welcome page. This vulnerability does not affect the default captive portal configuration where no custom welcome page is used. IMPACT An attacker could force an authenticated captive portal user to be redirected to a website of attacker's choice rather than captive portal's custom welcome page. For this vulnerability to manifest, user would have to click on a maliciously crafted link and then authenticate successfully to the presented captive portal authentication page. NOTE: Default captive portal configuration is NOT vulnerable to this issue where no custom welcome page is configured. CVSS v2 BASE METRIC SCORE: 4.9 (AV:N/AC:M/AU:S/C:P/I:P/A:N) HOW TO IDENTIFY IF YOU ARE VULNERABLE If the following lines exist in your configuration for a particular active captive portal profile then you are vulnerable. aaa authentication captive-portal ... ... welcome-page ! WORKAROUNDS Aruba Networks recommends that all customers apply the appropriate patch(es) as soon as practical. However, in the event that a patch cannot immediately be applied, the following steps will help to mitigate the risk: - - Disable welcome page all together. This will result in users directly landing at the site they requested. aaa authentication captive-portal no enable-welcome-page ! - - Disable custom welcome page. This will result in users being presented with default Aruba captive portal welcome page aaa authentication captive-portal no welcome-page ! SOLUTION Aruba Networks recommends that all customers apply the appropriate patch(es) as soon as practical. The following patches have the fix (any newer patch will also have the fix): - - Aruba OS 3.3.3.10 - - Aruba OS 3.4.4.2 - - Aruba OS 5.0.3.2 - - Aruba OS 6.0.1.1 - - Aruba OS 2.4.8.27-FIPS - - Aruba OS 3.3.2.21-FIPS - - Aruba OS 3.4.4.0-FIPS The FIPS releases noted above are currently undergoing FIPS certification and are available from Aruba on request. Please note: We highly recommend that you upgrade your Mobility Controller to the latest available patch on the Aruba support site corresponding to your currently installed release. +---------------------------------------------------- OBTAINING FIXED FIRMWARE Aruba customers can obtain the firmware on the support website: http://www.arubanetworks.com/support. Aruba Support contacts are as follows: 1-800-WiFiLAN (1-800-943-4526) (toll free from within North America) +1-408-754-1200 (toll call from anywhere in the world) e-mail: support(at)arubanetworks.com Please, do not contact either "wsirt(at)arubanetworks.com" or "security(at)arubanetworks.com" for software upgrades. EXPLOITATION AND PUBLIC ANNOUNCEMENTS This vulnerability will be announced at Aruba W.S.I.R.T. Advisory: http://www.arubanetworks.com/support/alerts/aid-070611.asc SecurityFocus Bugtraq http://www.securityfocus.com/archive/1 STATUS OF THIS NOTICE: Final Although Aruba Networks cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Aruba Networks does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Aruba Networks may update this advisory. A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. DISTRIBUTION OF THIS ANNOUNCEMENT This advisory will be posted on Aruba's website at: http://www.arubanetworks.com/support/alerts/aid-070611.asc Future updates of this advisory, if any, will be placed on Aruba's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. REVISION HISTORY Revision 1.0 / 07-06-2011 / Initial release ARUBA WSIRT SECURITY PROCEDURES Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at http://www.arubanetworks.com/support-services/aruba-support-program/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to wsirt(at)arubanetworks.com or security(at)arubanetworks.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at http://www.arubanetworks.com/support-services/aruba-support-program/security-bulletins/ (c) Copyright 2011 by Aruba Networks, Inc. This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAk4UpScACgkQp6KijA4qefV8gACaAh/bahe7ZSBcCPG4vzBL/uNB 5T0AoP7IpulmU7oIJrggrJ2wEccJCLSS =xv+e -----END PGP SIGNATURE-----