-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Advisory Number 09252014 CVE-2014-6271 CVE-2014-7169 CVE-2014-6277 CVE-2014-6278 TITLE GNU bash Shell Multiple Vulnerabilities ("Shellshock") SUMMARY On September 24, 2014, a public announcement was made regarding a vulnerability in the GNU 'bash' shell that could permit remote code execution. This vulnerability was assigned CVE-2014-6271 and fixes were published. The fix was incomplete, and a second vulnerability (CVE-2014-7169) was published. Over the following days, additional vulnerabilities (CVE-2014-6277 and CVE-2014-6278) were also made public. Some Aruba products contain the GNU bash shell, and this advisory has been created to describe Aruba's exposure to these vulnerabilities. AFFECTED PRODUCTS - AirWave (All versions prior to 7.7.13, 8.0.x prior to 8.0.4.1) - Clearpass Policy Manager (All versions prior to 6.3.6, 6.4.x prior to 6.4.1) - ALE (all versions prior to 1.2.3) - Amigopod (All versions) NOT AFFECTED - ArubaOS (all versions) - Aruba Central (already patched) - Aruba Instant (IAP) - Aruba VIA - MeshOS DETAILS Bash supports exporting not just shell variables, but also shell functions to other bash instances, via the process environment to (indirect) child processes. Current bash versions use an environment variable named by the function name, and a function definition starting with “() {” in the variable value to propagate function definitions through the environment. The vulnerability occurs because bash does not stop after processing the function definition; it continues to parse and execute shell commands following the function definition. If bash is used as an interpreter for network-accessible scripts, an attacker could exploit the vulnerability to execute arbitrary code. DISCOVERY These vulnerabilities were announced publicly on September 24, 2014. IMPACT Aruba confirms that affected versions of 'bash' are included in the Linux distributions used by AirWave, Amigopod, ALE, and ClearPass. However, current testing and analysis indicates that the vulnerability is NOT exploitable over the network by an unauthenticated user. It is still possible that this vulnerability could be used by an authenticated user to conduct a privilege escalation attack. Aruba has not yet been able to prove or disprove this vector, given the complexity of the software. Aruba will post revisions of this advisory if new information comes to light indicating a more serious impact. Aruba Networks participates in the Common Vulnerability Scoring System (CVSS). This rating system is a vendor agnostic, industry open standard designed to convey vulnerability severity and help determine urgency and priority of response. The CVSS score for this release is: CVSS V2 Base Score: 3.6 (LOW) (AV:N/AC:H/Au:S/C:P/I:P/A:N) MITIGATION Aruba recommends that wherever possible, affected products should not be exposed to untrusted networks such as the public Internet. Apply patches as soon as they become available. SOLUTION As of this writing (September 29) the situation is still fluid; patches for bash have been published by RedHat and others, but it is unclear if those patches fully fix all problems. Aruba Networks has published patch releases for some affected products and will continue to publish patches as new information becomes available. The following versions contain fixes: ClearPass 6.2.6 patch - scheduled release date October 1, 2014 ClearPass 6.3.5 patch - scheduled release date October 1, 2014 ClearPass 6.3.6 ClearPass 6.4.1 - scheduled release date September 30, 2014 ALE 1.2.3 - scheduled release date October 1, 2014 AirWave 7.7.13 - released September 26, 2014 AirWave 8.0.4.1 - released September 26, 2014 Note: If upgrading your AirWave server to either version 7.7.13 or 8.0.4.1 is not feasible, you may instead update bash manually using 'yum'. The same procedure is available for ALE. Amigopod has reached the "End of Development" milestone and will not be updated. Customers should update Amigopod installations to ClearPass Guest to address this and any future security issues. +---------------------------------------------------- OBTAINING FIXED FIRMWARE Aruba customers can obtain the firmware on the support website: http://support.arubanetworks.com Aruba Support contacts are as follows: 1-800-WiFiLAN (1-800-943-4526) (toll free from within North America) +1-408-754-1200 (toll call from anywhere in the world) The full contact list is at: http://www.arubanetworks.com/support-services/support-program/contact-support/ e-mail: support(at)arubanetworks.com Please do not contact "sirt(at)arubanetworks.com" for software upgrades. STATUS OF THIS NOTICE: Initial Although Aruba Networks cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Aruba Networks does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Aruba Networks may update this advisory. A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. DISTRIBUTION OF THIS ANNOUNCEMENT This advisory will be posted on Aruba's website at: http://www.arubanetworks.com/support/alerts/aid-09252014.txt Future updates of this advisory, if any, will be placed on Aruba's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. REVISION HISTORY Revision 1.0 / 09-25-2014 / Initial release Revision 1.1 / 09-29-2014 / Update. New IMPACT section, updated SOLUTION. Severity downgraded to LOW. ARUBA SIRT SECURITY PROCEDURES Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to sirt(at)arubanetworks.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2014 by Aruba Networks, Inc. This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBCAAGBQJUKfz/AAoJEJj+CcpFhYbZwd8H/1+Exfhvvj6G7E+eqLUa7TnZ 6JnsCoxf+ZK73hi8gP1itkYQ0dVztHlTUmmPcV1S6IWYTDcqxZsssd10IGq6Dl4M 3oLiCSIAsZnjBxq69zehfkZVS2T4XLa0ZCHlpODyvSBtfNp0amC/w7Y2yTPCXe7P rubX9SptSykbab4vb8SUKpUPN9asvbaMs9/MGJU08R+9P5spqY5J3OWK4o+D01xY uo4SZ7GM2n+N6ahqBXk2QAC1OO3glC6RHwf7lK7XYVB1AEQ8ZPPvOa0scR9kSC/N vRSFwKMd/PgoAcU/2w6JvG4V1Csw9TqNlxx8GiKXCTMM+Faa17+iiIK3PiB5Kgc= =p8z4 -----END PGP SIGNATURE-----