-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Advisory Number 08182014 CVE-2014-3511 TITLE OpenSSL Multiple Vulnerabilities (August 2014) SUMMARY On August 6, 2014, the OpenSSL Foundation announced multiple vulnerabilities in OpenSSL through the advisory at https://www.openssl.org/news/secadv_20140806.txt. A number of Aruba Networks products make use of OpenSSL. This advisory has been created to describe Aruba's exposure to these vulnerabilities. AFFECTED PRODUCTS Information leak in pretty printing functions (CVE-2014-3508) - No Aruba products affected Crash with SRP ciphersuite in Server Hello message (CVE-2014-5139) - No Aruba products affected Race condition in ssl_parse_serverhello_tlsext (CVE-2014-3509) - No Aruba products affected Double Free when processing DTLS packets (CVE-2014-3505) - No Aruba products affected DTLS memory exhaustion (CVE-2014-3506) - No Aruba products affected DTLS memory leak from zero-length fragments (CVE-2014-3507) - No Aruba products affected OpenSSL DTLS anonymous EC(DH) denial of service (CVE-2014-3510) - No Aruba products affected OpenSSL TLS protocol downgrade attack (CVE-2014-3511) - Multiple Aruba products impacted. See below for further details. SRP buffer overrun (CVE-2014-3512) - No Aruba products affected AFFECTED VERSIONS (for CVE-2014-3511) - ArubaOS (6.3.x prior to 6.3.1.11, 6.4.x prior to 6.4.2.1 - including FIPS versions) - ClearPass (6.3.x prior to 6.3.5, 6.4.x prior to 6.4.1) - AirWave (7.7.x prior to 7.7.13, 8.0.x prior to 8.0.4) NOT AFFECTED - ArubaOS 6.2.x, 6.1.x, 5.x, and 3.4.x - ArubaOS 7.x - Aruba Central (already patched) - Aruba Instant (IAP) - Aruba VIA - MeshOS DETAILS A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate TLS 1.0 instead of higher protocol versions when the ClientHello message is badly fragmented. This allows a man-in-the-middle attacker to force a downgrade to TLS 1.0 even if both the server and the client support a higher protocol version, by modifying the client's TLS records. DISCOVERY These vulnerabilities were announced publicly by the OpenSSL Foundation. IMPACT OpenSSL is used in a variety of ways in Aruba products, including: * HTTPS communications via the Administrative Web GUI * HTTPS communications via Captive Portal * 802.1X * Secure LDAP communication * Secure communication with some third party APIs * VIA profile download The Aruba products listed above include support for TLS 1.2. An attacker successfully carrying out the attack described by CVE-2014-3511 could cause a TLS connection to fall back to TLS 1.0. The impact would be that stronger ciphersuites only available in TLS 1.2, such as ciphersuites that make use of SHA256/SHA384, would not be available, and instead the connection would make use of SHA1 for integrity protection. Note that while SHA1 is expected to become deprecated in the future, it is not today considered particularly weak. Aruba Networks participates in the Common Vulnerability Scoring System (CVSS). This rating system is a vendor agnostic, industry open standard designed to convey vulnerability severity and help determine urgency and priority of response. The CVSS score for this release is: CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) MITIGATION Other than customers using Suite B cryptography, most Aruba customers do not depend on TLS 1.2 being available. If the use of TLS 1.2 forms a critical layer of security in your environment, Aruba recommends that TLS communication be made available only to trusted network segments. Note that if Suite B cryptography is in use only for IPsec communication, this vulnerability has no impact. Otherwise, given the low security impact of this vulnerability, Aruba does not recommend any additional mitigation steps. Upgrade to the latest supported version of software during your next regularly scheduled maintenance window. SOLUTION Aruba Networks plans to publish patch releases for the affected products. We recommend upgrading to these releases during your next regularly scheduled maintenance window. ArubaOS 6.3.1.11 (estimated release date 09/19/2014) ArubaOS 6.4.2.1 (estimated release date 09/10/2014) ClearPass 6.3.5 (estimated release date 09/08/2014) ClearPass 6.4.1 (estimated release date 09/30/2014) AirWave 7.7.13 (estimated release date 09/02/2014) AirWave 8.0.4 (estimated release date 09/02/2014) Note: If upgrading your AirWave Server to either version 7.7.13 or 8.0.4 is not feasible, you may instead update OpenSSL manually using 'yum'. +---------------------------------------------------- OBTAINING FIXED FIRMWARE Aruba customers can obtain the firmware on the support website: http://support.arubanetworks.com Aruba Support contacts are as follows: 1-800-WiFiLAN (1-800-943-4526) (toll free from within North America) +1-408-754-1200 (toll call from anywhere in the world) The full contact list is at: http://www.arubanetworks.com/support-services/support-program/contact-support/ e-mail: support(at)arubanetworks.com Please do not contact "sirt(at)arubanetworks.com" for software upgrades. STATUS OF THIS NOTICE: Initial Although Aruba Networks cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Aruba Networks does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Aruba Networks may update this advisory. A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. DISTRIBUTION OF THIS ANNOUNCEMENT This advisory will be posted on Aruba's website at: http://www.arubanetworks.com/support/alerts/aid-08182014.txt Future updates of this advisory, if any, will be placed on Aruba's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. REVISION HISTORY Revision 1.0 / 08-19-2014 / Initial release ARUBA SIRT SECURITY PROCEDURES Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to sirt(at)arubanetworks.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2014 by Aruba Networks, Inc. This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBCAAGBQJT89/PAAoJEJj+CcpFhYbZHZwH+gO3QbEV6oOsjP08MeNDeq0J LDU9JhcX2pV2XKgIQOC1HitlPR4tbM7hfRqXAe5zSmoIRUGuKn7aMITgx8ZuUfQ7 ywnz+lIri0zh2vwTnwFWQlKIHEDLynfaL1T/T3ur0+aVT7AhFFpLaS6SRvUGXUEw MgoF1MTOxRpwkt5qx5B13LWsCj2A9x81t5KqiUBQt4U1TGBdLfwv4IfxDxMpIQt4 /n/BKWozbkySbWO1Y9XRwgKB1Rpgibc/XWHC08ZNBow8/yneJd4/wr6D50KvQadx XE5mT8OmtV8078suDMZ9E3EG+Ft/8OudkFgxut3pInqnI4Z9nb9uPOAshiKfVls= =AHmx -----END PGP SIGNATURE-----