-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ADVISORY NUMBER 042613-2 CVE-2013-0166 TITLE Multiple Vulnerabilities in OpenSSL SUMMARY On February 5, 2013 the OpenSSL Project issued three vulnerability notices regarding various versions of OpenSSL, an open-source cryptographic library. A number of Aruba Networks products make use of OpenSSL, including ArubaOS, AirWave, and ClearPass Policy Manager. This advisory provides information on how the OpenSSL vulnerabilities affect Aruba customers. AFFECTED VERSIONS - - - ArubaOS 6.1.3.7 and earlier, 6.2.1.1 and earlier, 6.1.4.3-FIPS and earlier - - - Amigopod 3.9.7 and earlier - - - ClearPass Policy Manager 6.0.x and earlier DETAILS CVE-2013-0166 is a denial of service attack against an OCSP client. A malformed OCSP response from a server will cause the OCSP client to crash. IMPACT This vulnerability requires a malformed OCSP response from an OCSP responder. Because Aruba products only perform OCSP transactions against a configured OCSP responder (server), an attacker would need to compromise a specific OCSP responder in order to exploit this vulnerability. A compromised OCSP responder represents a significantly greater threat to network security than a partial denial of service attack against an OCSP client. ArubaOS ------- If an Aruba controller is configured to validate client X.509 certificates using OCSP, it will be affected by this vulnerability. Note that a crash of the OCSP client in ArubaOS would not cause a complete controller crash - the process would be automatically restarted. AirWave ------- AirWave does not support OCSP and is not affected. Amigopod -------- Amigopod prior to version 3.9.8 is affected by this vulnerability if it has been configured to validate client X.509 certificates using an external OCSP responder. Note that typically, Amigopod is configured to validate certificates against only an internal OCSP responder; in this configuration it would not be affected. ClearPass Policy Manager ------------------------ CPPM prior to version 6.1 is affected by this vulnerability if it has been configured to validate client X.509 certificates using an external OCSP responder. CVSS v2 BASE METRIC SCORE: 1.2 (AV:L/AC:H/AU:N/C:N/I:N/A:P) (LOW IMPACT) WORKAROUNDS - -- None. SOLUTION Any software version newer than those given below will also contain the fix. ArubaOS ------- ArubaOS versions 6.1.3.8, 6.2.1.2, and 6.1.4.4-FIPS will contain the fix for this vulnerability. Other branches will not be updated given the low CVSS score of this vulnerability. Amigopod -------- Amigopod 3.9.8 contains a complete fix for this vulnerability. ClearPass Policy Manager ------------------------ CPPM 6.1 contains a complete fix for this vulnerability. +---------------------------------------------------- OBTAINING FIXED SOFTWARE Aruba customers can obtain updated software on the support website: http://support.arubanetworks.com Aruba Support contacts are as follows: 1-800-WiFiLAN (1-800-943-4526) (toll free from within North America) +1-408-754-1200 (toll call from anywhere in the world) e-mail: support(at)arubanetworks.com Please, do not contact either "wsirt(at)arubanetworks.com" or "security(at)arubanetworks.com" for software upgrades. EXPLOITATION AND PUBLIC ANNOUNCEMENTS This vulnerability will be announced at Aruba W.S.I.R.T. Advisory: http://www.arubanetworks.com/support/alerts/aid-042613.asc STATUS OF THIS NOTICE: Final Although Aruba Networks cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Aruba Networks does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Aruba Networks may update this advisory. A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. DISTRIBUTION OF THIS ANNOUNCEMENT This advisory will be posted on Aruba's website at: http://www.arubanetworks.com/support/alerts/aid-042613-1.asc Future updates of this advisory, if any, will be placed on Aruba's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. REVISION HISTORY Revision 1.0 / 04-26-2013 / Initial release ARUBA WSIRT SECURITY PROCEDURES Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at http://www.arubanetworks.com/support-services/aruba-support-program/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to wsirt(at)arubanetworks.com or security(at)arubanetworks.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at http://www.arubanetworks.com/support-services/aruba-support-program/security-bulletins/ (c) Copyright 2013 by Aruba Networks, Inc. This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) iEYEARECAAYFAlGLF8QACgkQp6KijA4qefWecQCg0lFwQq9zZqyBptqsvWJR2LfN yFMAoLo8Ud2WpbXq385LUqUA67Yiwkqa =3bnm -----END PGP SIGNATURE-----