-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Aruba Product Security Advisory
===============================

Advisory ID: ARUBA-PSA-2015-010
CVE: CVE-2015-7704, CVE-2015-7705, CVE-2015-7852, CVE-2015-7871
Publication Date: 2015-Nov-30
Status: Confirmed
Revision: 1



Title
=====
Network Time Protocol Daemon (NTPD) Multiple Vulnerabilities
 

Overview
========
The NTP Project (www.ntp.org) announced multiple vulnerabilities in ntpd on October 21, 2015.  For full
details, see http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner.
Multiple Aruba products incorporate ntpd and are vulnerable to a subset of the announced vulnerabilities.


Affected Products
=================

 -- ClearPass up to, but not including, 6.5.5
 -- ArubaOS 6.3 up to, but not including, 6.3.1.20
 -- ArubaOS 6.4 up to, but not including, 6.4.2.14, 6.4.3.6, and 6.4.4.3
 -- ArubaOS 7.x up to, but not including, 7.4.1.2


Unaffected Products
===================

 -- AirWave
 -- Aruba Instant
 -- Aruba Central
 -- VIA
 -- Meridian


Details
=======
 -- ClearPass is vulnerable to CVE-2015-7704 and CVE-2015-7705.  This could allow an attacker to degrade
    the clock accuracy by causing ClearPass to cease or delay updating the clock through NTP.
 -- ArubaOS 6.3 and 6.4 are vulnerable to CVE-2015-7704 and CVE-2015-7705.  This could allow an attacker 
    to degrade the clock accuracy by causing ArubaOS to cease or delay updating the clock through NTP.
 -- Additionally, ArubaOS 6.4 is vulnerable to CVE-2015-7871 ("NAK to the Future"). This is the most serious
    of the vulnerabilities, and could allow an attacker to control the clock on a device running ArubaOS 6.4.


Workarounds
===========
The following workarounds limit the exposure of this vulnerability to nearly zero:
  -- Restrict access to NTP servers by ensuring that systems communicate only with specific, trusted NTP
     upstream servers.
  -- Do not allow untrusted systems to access Aruba components on UDP port 123.  Aruba systems operate as
     NTP clients and will always establish connections outbound to upstream NTP servers.  There is no need
     for external systems to initiate contact with an Aruba component. Note: In a multi-node ClearPass
     deployment, a ClearPass publisher does act as an NTP server for ClearPass subscriber nodes, so firewall
     rules would need to be adjusted accordingly.
  -- For ArubaOS 6.4, use Service ACLs to permit inbound NTP traffic only from trusted sources.


Resolution
==========
The vulnerability will be addressed in the following versions:

 -- ClearPass: 6.5.5, expected early January
 -- ArubaOS: 6.3.1.20, 6.4.2.14, 6.4.3.6, 6.4.4.3 (bug 127194)


Obtaining Fixed Software
========================

Aruba customers can obtain software updates on the support website:
	http://support.arubanetworks.com


Aruba Support contacts are as follows:

	+1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)
	
	+1-408-754-1200 (toll call from anywhere in the world)

	The full contact list is at:
	http://www.arubanetworks.com/support-services/support-program/contact-support/

	e-mail: support(at)arubanetworks.com

Please do not contact "sirt(at)arubanetworks.com" for software upgrades.


Revision History
================

      Revision 1.0 / 2015-Nov-30 / Initial release


Aruba SIRT Security Procedures
==============================

Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at:

http://www.arubanetworks.com/support-services/security-bulletins/
   
  
For reporting *NEW* Aruba Networks security issues, email can be sent to
sirt(at)arubanetworks.com. For sensitive information we encourage the use of 
PGP encryption. Our public keys can be found at:

http://www.arubanetworks.com/support-services/security-bulletins/


(c) Copyright 2015 by Aruba, a Hewlett Packard Enterprise company
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJWW3ShAAoJEJj+CcpFhYbZ94YH/0/hKBXXrxsxbM5heK7BYw8c
zPF7dOlwdrkhPtM9lArmHzIgpgbYqDTdmeq6Bp18nzanyI3dcG1J+ig1G4bc/diz
tT2t0Lmi/Tyh+UaJCFb2pRDbxRYOONZKd1+xM4hSEm2C/Bwr57K3jYJ1VIxp9oT5
w0TgvjH2QHTQwqj92mzQxBlFo02BCB845jxKh4xiOAH8lNcC0PEXD/bn9JCPa7et
39Edazyi+37FN5+aPsP1RGI2s94vLUu05Y5YjXxIneBQqinyeZzcBhmH68TBOB/y
jgnlOMxNDAtOOZLjudlVty6FxDiaRNas0N3uwyFRNRUwu7OWWnZUU96FPLaAoR0=
=MLNQ
-----END PGP SIGNATURE-----