-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Advisory Number 09252014
CVE-2014-6271
CVE-2014-7169
CVE-2014-6277
CVE-2014-6278


TITLE
 
GNU bash Shell Multiple Vulnerabilities ("Shellshock")
 

SUMMARY
 
On September 24, 2014, a public announcement was made regarding a vulnerability in the GNU
'bash' shell that could permit remote code execution.  This vulnerability was assigned
CVE-2014-6271 and fixes were published.  The fix was incomplete, and a second vulnerability
(CVE-2014-7169) was published.  Over the following days, additional vulnerabilities
(CVE-2014-6277 and CVE-2014-6278) were also made public. 

Some Aruba products contain the GNU bash shell, and this advisory has been created 
to describe Aruba's exposure to these vulnerabilities.


AFFECTED PRODUCTS
	- AirWave (All versions prior to 7.7.13, 8.0.x prior to 8.0.4.1)
	- Clearpass Policy Manager (All versions prior to 6.3.6, 6.4.x prior to 6.4.1)
	- ALE (all versions prior to 1.2.3)
	- Amigopod (All versions)


NOT AFFECTED
	- ArubaOS (all versions)
	- Aruba Central (already patched)
	- Aruba Instant (IAP)
	- Aruba VIA
	- MeshOS


DETAILS

Bash supports exporting not just shell variables, but also shell
functions to other bash instances, via the process environment to
(indirect) child processes.  Current bash versions use an environment
variable named by the function name, and a function definition
starting with “() {” in the variable value to propagate function
definitions through the environment.  The vulnerability occurs because
bash does not stop after processing the function definition; it
continues to parse and execute shell commands following the function
definition.  If bash is used as an interpreter for network-accessible
scripts, an attacker could exploit the vulnerability to execute
arbitrary code.


 
DISCOVERY

These vulnerabilities were announced publicly on September 24, 2014.



IMPACT

Aruba confirms that affected versions of 'bash' are included in the 
Linux distributions used by AirWave, Amigopod, ALE, and ClearPass.  
However, current testing and analysis indicates that the vulnerability
is NOT exploitable over the network by an unauthenticated user.

It is still possible that this vulnerability could be used by an 
authenticated user to conduct a privilege escalation attack.  Aruba 
has not yet been able to prove or disprove this vector, given the 
complexity of the software. Aruba will post revisions of this advisory 
if new information comes to light indicating a more serious impact.

Aruba Networks participates in the Common Vulnerability Scoring System (CVSS). This 
rating system is a vendor agnostic, industry open standard designed to convey 
vulnerability severity and help determine urgency and priority of response. The CVSS score
for this release is:

CVSS V2 Base Score: 3.6 (LOW) (AV:N/AC:H/Au:S/C:P/I:P/A:N)


MITIGATION

Aruba recommends that wherever possible, affected products should not be
exposed to untrusted networks such as the public Internet.  Apply patches
as soon as they become available.


 
SOLUTION

As of this writing (September 29) the situation is still fluid; patches for bash have
been published by RedHat and others, but it is unclear if those patches fully fix
all problems. Aruba Networks has published patch releases for some affected 
products and will continue to publish patches as new information becomes available.  
The following versions contain fixes:

ClearPass 6.2.6 patch - scheduled release date October 1, 2014
ClearPass 6.3.5 patch - scheduled release date October 1, 2014
ClearPass 6.3.6
ClearPass 6.4.1 - scheduled release date September 30, 2014
ALE 1.2.3 - scheduled release date October 1, 2014
AirWave 7.7.13 - released September 26, 2014
AirWave 8.0.4.1 - released September 26, 2014
  Note:  If upgrading your AirWave server to either version 7.7.13 or 8.0.4.1 is not 
         feasible,  you may instead update bash manually using 'yum'. The
	 same procedure is available for ALE.

Amigopod has reached the "End of Development" milestone and will not be updated.
Customers should update Amigopod installations to ClearPass Guest to address this
and any future security issues.

+----------------------------------------------------

OBTAINING FIXED FIRMWARE

Aruba customers can obtain the firmware on the support website:
	http://support.arubanetworks.com


Aruba Support contacts are as follows:

	1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)
	
	+1-408-754-1200 (toll call from anywhere in the world)

	The full contact list is at:
	http://www.arubanetworks.com/support-services/support-program/contact-support/

	e-mail: support(at)arubanetworks.com

Please do not contact "sirt(at)arubanetworks.com" for software upgrades.


STATUS OF THIS NOTICE: Initial

Although Aruba Networks cannot guarantee the accuracy of all statements
in this advisory, all of the facts have been checked to the best of our
ability. Aruba Networks does not anticipate issuing updated versions of
this advisory unless there is some material change in the facts. Should
there be a significant change in the facts, Aruba Networks may update
this advisory.

A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an uncontrolled
copy, and may lack important information or contain factual errors.


DISTRIBUTION OF THIS ANNOUNCEMENT

This advisory will be posted on Aruba's website at:
http://www.arubanetworks.com/support/alerts/aid-09252014.txt


Future updates of this advisory, if any, will be placed on Aruba's worldwide
website, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
above URL for any updates.


REVISION HISTORY
      Revision 1.0 / 09-25-2014 / Initial release
      Revision 1.1 / 09-29-2014 / Update.  New IMPACT section, updated SOLUTION.
				  Severity downgraded to LOW.


ARUBA SIRT SECURITY PROCEDURES

Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at

http://www.arubanetworks.com/support-services/security-bulletins/
   
  
For reporting *NEW* Aruba Networks security issues, email can be sent to
sirt(at)arubanetworks.com. For sensitive information we encourage the use of 
PGP encryption. Our public keys can be found at 

http://www.arubanetworks.com/support-services/security-bulletins/


(c) Copyright 2014 by Aruba Networks, Inc.
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBCAAGBQJUKfz/AAoJEJj+CcpFhYbZwd8H/1+Exfhvvj6G7E+eqLUa7TnZ
6JnsCoxf+ZK73hi8gP1itkYQ0dVztHlTUmmPcV1S6IWYTDcqxZsssd10IGq6Dl4M
3oLiCSIAsZnjBxq69zehfkZVS2T4XLa0ZCHlpODyvSBtfNp0amC/w7Y2yTPCXe7P
rubX9SptSykbab4vb8SUKpUPN9asvbaMs9/MGJU08R+9P5spqY5J3OWK4o+D01xY
uo4SZ7GM2n+N6ahqBXk2QAC1OO3glC6RHwf7lK7XYVB1AEQ8ZPPvOa0scR9kSC/N
vRSFwKMd/PgoAcU/2w6JvG4V1Csw9TqNlxx8GiKXCTMM+Faa17+iiIK3PiB5Kgc=
=p8z4
-----END PGP SIGNATURE-----