-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2015-005 CVE: CVE-2015-1390, CVE-2015-1391, CVE-2015-2201, CVE-2015-2202 Publication Date: 2015-03-18 Status: Confirmed, Fixed Revision: 1 Title ===== AirWave Multiple Vulnerabilities Overview ======== Multiple vulnerabilities exist in AirWave. See below for details. Affected Products ================= -- AirWave versions prior to 8.0.7 Solution ======== Upgrade to one of the following software versions: -- AirWave 8.0.7 or later Details ======= In order to protect customer networks, Aruba is providing no specific details in the initial advisory. In accordance with our vulnerability disclosure policy, Aruba will update this advisory in 60 days to provide full details of each vulnerability. Cross-site Scripting Permits Script Execution Inside Administrative Session (CVE-2015-1390) ------------------------------------------------------------------------------------------- A cross-site scripting vulnerability permits an unauthenticated user to inject script code that could be executed by an AirWave administrator while inside an administrative session. While the vulnerability requires no authentication, it does require administrative ccess to network elements being managed by AirWave. Simply having HTTP access to the AirWave console is insufficient. Severity: High Vulnerability Class: Improper Neutralization of Input During Web Page Generation (CWE-79) CVSSv2 Overall Score: 7.5 CVSSv2 Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Discovery: This vulnerability was discovered by Akhil Reni (@akhil_reni) and reported through the BugCrowd managed bug bounty program. Fix: Fixed in 8.0.7 Bypass of Cross-Site Request Forgery Prevention Mechanisms (CVE-2015-1391) -------------------------------------------------------------------------- AirWave includes protection mechanisms against cross-site request forgery (CSRF) attacks. It is possible for an attacker to bypass these mechanisms by supplying a crafted URL in an HTTPS request. While a CSRF attack is diffuclt to carry out, a successful attack would allow the attacker to make arbitrary configuration changes to the AirWave system, including adding new administrative accounts and changing passwords. Severity: Medium Vulnerability Class: Improper Neutralization of Input During Web Page Generation (CWE-79) CVSSv2 Overall Score: 6.8 CVSSv2 Vector: (AV:N/AC:H/Au:S/C:P/I:C/A:C) Discovery: This vulnerability was discovered and reported through the BugCrowd managed bug bounty program. Fix: Fixed in 8.0.7 VisualRF Remote Command Execution and File Disclosure (CVE-2015-2201) --------------------------------------------------------------------- This vulnerability permits an authenticated administrative user of any privilege level to execute arbitrary commands on the underlying operating system with the privilege level of the web server component. Using this technique, local files can be exported to an external system or network. Severity: Medium Vulnerability Class: Improper Control of Generation of Code (CWE-94) CVSSv2 Overall Score: 6.0 CVSSv2 Vector: (AV:N/AC:M/Au:S/C:P/I:P/A:P) Discovery: This vulnerability was discovered and reported through the BugCrowd managed bug bounty program. Fix: Fixed in 8.0.7 and 7.7.14.2 Authenticated Privilege Escalation (CVE-2015-2202) -------------------------------------------------- Incorrect input sanitization in AirWave allows an authenticated administrative user of any privilege level to execute arbitrary commands on the underlying operating system with the privilege level of 'root'. This permits complete compromise of the AirWave system. Severity: High Vulnerability Class: Improper Input Validation (CWE-20) CVSSv2 Overall Score: 7.1 CVSSv2 Vector: (AV:N/AC:H/Au:S/C:C/I:C/A:C) Discovery: This vulnerability was discovered and reported by Jan Bee of the Google Security Team. Fix: Fixed in 8.0.7 and 7.7.14.2 Workaround ========== There are no completely effective workarounds for these issues. Obtaining Fixed Software ======================== Aruba customers can obtain software updates on the support website: http://support.arubanetworks.com Aruba Support contacts are as follows: +1-800-WiFiLAN (1-800-943-4526) (toll free from within North America) +1-408-754-1200 (toll call from anywhere in the world) The full contact list is at: http://www.arubanetworks.com/support-services/support-program/contact-support/ e-mail: support(at)arubanetworks.com Please do not contact "sirt(at)arubanetworks.com" for software upgrades. Revision History ================ Revision 1.0 / 2015-Mar-18 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to sirt(at)arubanetworks.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2015 by Aruba Networks, Inc. This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBCAAGBQJVCecWAAoJEJj+CcpFhYbZfAMIAJ28Cc3MIQDnjacHqUSZwBIN GHtudCaapUe6XAWhqspxbjUaMh/B8NfRXj3h6RgiHKTXaGl9HtIqYKozR2cQWjSm i/RWj2np7A0ci7DGyQqhsrYI3B6IjsogvnhEIJkprlufiwjrUlOJwRIR9bNaKIbZ WmOwubtpOgGsXZtMENNqqrtB9iG12ghWXcpZ0ayj6WIRLJ3WuEPBCshzD7ZU7P6A i/ozlswFezIIVYAtLHjbJfjhTWG2CVFFCubunxJvZfhUJpsv5XqEg6ClSuJxoiMV 7X8demOJll+IIZjwGRT2psj57F+7gp/ZE3g4atqA9UMtnoefBsSPd6N6v4C0pOs= =+kzi -----END PGP SIGNATURE-----