-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Aruba Product Security Advisory
===============================

Advisory ID: ARUBA-PSA-2015-005
CVE: CVE-2015-1390, CVE-2015-1391, CVE-2015-2201, CVE-2015-2202
Publication Date: 2015-03-18
Status: Confirmed, Fixed
Revision: 1



Title
=====
AirWave Multiple Vulnerabilities
 

Overview
========

Multiple vulnerabilities exist in AirWave. See below for details.


Affected Products
=================

 -- AirWave versions prior to 8.0.7


Solution
========

Upgrade to one of the following software versions:
  -- AirWave 8.0.7 or later


Details
=======

In order to protect customer networks, Aruba is providing no specific 
details in the initial advisory.  In accordance with our vulnerability
disclosure policy, Aruba will update this advisory in 60 days to provide
full details of each vulnerability.


  Cross-site Scripting Permits Script Execution Inside Administrative Session (CVE-2015-1390)
  -------------------------------------------------------------------------------------------
  A cross-site scripting vulnerability permits an unauthenticated user to inject script code
  that could be executed by an AirWave administrator while inside an administrative session.
  While the vulnerability requires no authentication, it does require administrative ccess to 
  network elements being managed by AirWave.  Simply having HTTP access to the AirWave console 
  is insufficient.

  Severity: High
  Vulnerability Class: Improper Neutralization of Input During Web Page Generation (CWE-79)
  CVSSv2 Overall Score: 7.5
  CVSSv2 Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

  Discovery: This vulnerability was discovered by Akhil Reni (@akhil_reni) and reported 
  through the BugCrowd managed bug bounty program.  

  Fix: Fixed in 8.0.7


  Bypass of Cross-Site Request Forgery Prevention Mechanisms (CVE-2015-1391)
  --------------------------------------------------------------------------
  AirWave includes protection mechanisms against cross-site request forgery (CSRF) attacks.
  It is possible for an attacker to bypass these mechanisms by supplying a crafted URL in
  an HTTPS request. While a CSRF attack is diffuclt to carry out, a successful attack would
  allow the attacker to make arbitrary configuration changes to the AirWave system, including
  adding new administrative accounts and changing passwords.

  Severity: Medium
  Vulnerability Class: Improper Neutralization of Input During Web Page Generation (CWE-79)
  CVSSv2 Overall Score: 6.8
  CVSSv2 Vector: (AV:N/AC:H/Au:S/C:P/I:C/A:C)

  Discovery: This vulnerability was discovered and reported through the BugCrowd managed bug 
  bounty program.  

  Fix: Fixed in 8.0.7


  VisualRF Remote Command Execution and File Disclosure (CVE-2015-2201)
  ---------------------------------------------------------------------
  This vulnerability permits an authenticated administrative user of any privilege
  level to execute arbitrary commands on the underlying operating system with the 
  privilege level of the web server component. Using this technique, local files
  can be exported to an external system or network.

  Severity: Medium
  Vulnerability Class: Improper Control of Generation of Code (CWE-94)
  CVSSv2 Overall Score: 6.0
  CVSSv2 Vector: (AV:N/AC:M/Au:S/C:P/I:P/A:P)

  Discovery: This vulnerability was discovered and reported through the BugCrowd managed bug 
  bounty program.

  Fix: Fixed in 8.0.7 and 7.7.14.2


  Authenticated Privilege Escalation (CVE-2015-2202)
  --------------------------------------------------
  Incorrect input sanitization in AirWave allows an authenticated administrative user
  of any privilege level to execute arbitrary commands on the underlying operating system
  with the privilege level of 'root'.  This permits complete compromise of the AirWave
  system.

  Severity: High
  Vulnerability Class: Improper Input Validation (CWE-20)
  CVSSv2 Overall Score: 7.1
  CVSSv2 Vector: (AV:N/AC:H/Au:S/C:C/I:C/A:C)

  Discovery: This vulnerability was discovered and reported by Jan Bee of the Google Security
  Team. 

  Fix: Fixed in 8.0.7 and 7.7.14.2


Workaround
==========

There are no completely effective workarounds for these issues.  


Obtaining Fixed Software
========================

Aruba customers can obtain software updates on the support website:
	http://support.arubanetworks.com


Aruba Support contacts are as follows:

	+1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)
	
	+1-408-754-1200 (toll call from anywhere in the world)

	The full contact list is at:
	http://www.arubanetworks.com/support-services/support-program/contact-support/

	e-mail: support(at)arubanetworks.com

Please do not contact "sirt(at)arubanetworks.com" for software upgrades.


Revision History
================

      Revision 1.0 / 2015-Mar-18 / Initial release


Aruba SIRT Security Procedures
==============================

Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at:

http://www.arubanetworks.com/support-services/security-bulletins/
   
  
For reporting *NEW* Aruba Networks security issues, email can be sent to
sirt(at)arubanetworks.com. For sensitive information we encourage the use of 
PGP encryption. Our public keys can be found at:

http://www.arubanetworks.com/support-services/security-bulletins/


(c) Copyright 2015 by Aruba Networks, Inc.
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBCAAGBQJVCecWAAoJEJj+CcpFhYbZfAMIAJ28Cc3MIQDnjacHqUSZwBIN
GHtudCaapUe6XAWhqspxbjUaMh/B8NfRXj3h6RgiHKTXaGl9HtIqYKozR2cQWjSm
i/RWj2np7A0ci7DGyQqhsrYI3B6IjsogvnhEIJkprlufiwjrUlOJwRIR9bNaKIbZ
WmOwubtpOgGsXZtMENNqqrtB9iG12ghWXcpZ0ayj6WIRLJ3WuEPBCshzD7ZU7P6A
i/ozlswFezIIVYAtLHjbJfjhTWG2CVFFCubunxJvZfhUJpsv5XqEg6ClSuJxoiMV
7X8demOJll+IIZjwGRT2psj57F+7gp/ZE3g4atqA9UMtnoefBsSPd6N6v4C0pOs=
=+kzi
-----END PGP SIGNATURE-----