-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Advisory Number 10072014
CVE-2014-7299


TITLE
 
ArubaOS Authentication Bypass Vulnerability
 

SUMMARY
 
A vulnerability has been found in some ArubaOS versions that 
may permit unauthenticated access to administrative interfaces 
of Aruba controllers.


AFFECTED PRODUCTS
	- ArubaOS 6.3.1.11
	- ArubaOS 6.3.1.11-FIPS
	- ArubaOS 6.4.2.1
	- ArubaOS 6.4.2.1-FIPS


DETAILS

It may be possible to obtain limited administrative privileges
without valid credentials. The vulnerability affects access over
SSH; access through WebUI and the serial port is not affected.
The vulnerability does not provide "root" level access.


DISCOVERY

This vulnerability was discovered by Brian Julin of Clark University.
Aruba would like to thank Mr. Julin for his assistance in
discovering and reporting this problem.


IMPACT

An attacker may be able to login to an affected mobility controller
and conduct the following type of activities:
 - Issue 'show' commands
 - Obtain encrypted password hashes for administrative accounts
 - View the running configuration
 - Add users to the internal user database with 'guest' rights

CVSS V2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)



MITIGATION

Upgrade your controller to ArubaOS 6.3.1.12 or 6.4.2.2 or as soon 
as possible. As an alternative, downgrading to 6.3.1.10 or 6.4.2.0 
will also eliminate the vulnerability.

If upgrading/downgrading is not an option, you may block SSH access
from untrusted networks, or block it completely.  From the CLI:

(config) #firewall cp
(config-fw-cp) #ipv4 permit 10.100.1.0 255.255.255.0 proto ssh
(config-fw-cp) #ipv4 deny any proto ssh

The above will permit SSH only from subnet 10.100.1.0.  You may
also permit SSH only from specific hosts:

(config) #firewall cp
(config-fw-cp) #ipv4 permit host 10.100.1.12 proto ssh
(config-fw-cp) #ipv4 deny any proto ssh

The above will permit SSH only from host 10.100.1.12.  Finally,
you may block ALL access through SSH:

(config) #firewall cp
(config-fw-cp) #ipv4 deny any proto ssh

- From the WebUI, navigate to Configuration->Advanced->Stateful Firewall->ACL White List
where you may add equivalent rules using the "Add" button.

If your controller operates in an IPv6 environment, you should also block
access through IPV6.
 

SOLUTION

Aruba has made ArubaOS 6.3.1.12 and 6.4.2.2 available for download.  
The vulnerability is fixed in these versions.

Because encrypted password hashes may have been exposed, we recommend
that administrative passwords be changed after software is updated.


+----------------------------------------------------

OBTAINING FIXED FIRMWARE

Aruba customers can obtain the firmware on the support website:
	http://support.arubanetworks.com


Aruba Support contacts are as follows:

	1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)
	
	+1-408-754-1200 (toll call from anywhere in the world)

	The full contact list is at:
	http://www.arubanetworks.com/support-services/support-program/contact-support/

	e-mail: support(at)arubanetworks.com

Please do not contact "sirt(at)arubanetworks.com" for software upgrades.


STATUS OF THIS NOTICE: Initial

Although Aruba Networks cannot guarantee the accuracy of all statements
in this advisory, all of the facts have been checked to the best of our
ability. Aruba Networks does not anticipate issuing updated versions of
this advisory unless there is some material change in the facts. Should
there be a significant change in the facts, Aruba Networks may update
this advisory.

A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an uncontrolled
copy, and may lack important information or contain factual errors.


DISTRIBUTION OF THIS ANNOUNCEMENT

This advisory will be posted on Aruba's website at:
http://www.arubanetworks.com/support/alerts/aid-10072014.txt


Future updates of this advisory, if any, will be placed on Aruba's worldwide
website, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
above URL for any updates.


REVISION HISTORY
      Revision 1.0 / 10-07-2014 / Initial release


ARUBA SIRT SECURITY PROCEDURES

Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at

http://www.arubanetworks.com/support-services/security-bulletins/
   
  
For reporting *NEW* Aruba Networks security issues, email can be sent to
sirt(at)arubanetworks.com. For sensitive information we encourage the use of 
PGP encryption. Our public keys can be found at 

http://www.arubanetworks.com/support-services/security-bulletins/


(c) Copyright 2014 by Aruba Networks, Inc.
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBCAAGBQJULcxHAAoJEJj+CcpFhYbZ1EcH/0+mjDAXOcSaGczLF+PPPinn
+xSPx0QfoAzt6hji+yRDP5AwFGts/qfue9WhSdY3wNqypDQoVdz7EvnLFemkGR/g
N2H7GgiEwnFbY2liJoed8+KQin1PLFl1WofaRHroxm7iOGH1xzwBsAmoztTpv2j0
sgCJx/Iur+47qaP7hmINWAtDXUWoO9NWVaZM7g0xyDxEAJqACJI4TgMXfzOElRjQ
vyNh3ybeiWgkCb0dl9UUR/Q0J/fRZW7V6sZz389UGQ0PiwcFYfV+GGJEHo/wEbBN
tIR2AZnLf+CGkwU0Gn8sLfuODUaNzhYHOGEcTCAgUlfQrRw8tTFzthbkCvydlu0=
=yklw
-----END PGP SIGNATURE-----