-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2015-010 CVE: CVE-2015-7704, CVE-2015-7705, CVE-2015-7852, CVE-2015-7871 Publication Date: 2015-Nov-30 Status: Confirmed Revision: 1 Title ===== Network Time Protocol Daemon (NTPD) Multiple Vulnerabilities Overview ======== The NTP Project (www.ntp.org) announced multiple vulnerabilities in ntpd on October 21, 2015. For full details, see http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner. Multiple Aruba products incorporate ntpd and are vulnerable to a subset of the announced vulnerabilities. Affected Products ================= -- ClearPass up to, but not including, 6.5.5 -- ArubaOS 6.3 up to, but not including, 6.3.1.20 -- ArubaOS 6.4 up to, but not including, 6.4.2.14, 6.4.3.6, and 6.4.4.3 -- ArubaOS 7.x up to, but not including, 7.4.1.2 Unaffected Products =================== -- AirWave -- Aruba Instant -- Aruba Central -- VIA -- Meridian Details ======= -- ClearPass is vulnerable to CVE-2015-7704 and CVE-2015-7705. This could allow an attacker to degrade the clock accuracy by causing ClearPass to cease or delay updating the clock through NTP. -- ArubaOS 6.3 and 6.4 are vulnerable to CVE-2015-7704 and CVE-2015-7705. This could allow an attacker to degrade the clock accuracy by causing ArubaOS to cease or delay updating the clock through NTP. -- Additionally, ArubaOS 6.4 is vulnerable to CVE-2015-7871 ("NAK to the Future"). This is the most serious of the vulnerabilities, and could allow an attacker to control the clock on a device running ArubaOS 6.4. Workarounds =========== The following workarounds limit the exposure of this vulnerability to nearly zero: -- Restrict access to NTP servers by ensuring that systems communicate only with specific, trusted NTP upstream servers. -- Do not allow untrusted systems to access Aruba components on UDP port 123. Aruba systems operate as NTP clients and will always establish connections outbound to upstream NTP servers. There is no need for external systems to initiate contact with an Aruba component. Note: In a multi-node ClearPass deployment, a ClearPass publisher does act as an NTP server for ClearPass subscriber nodes, so firewall rules would need to be adjusted accordingly. -- For ArubaOS 6.4, use Service ACLs to permit inbound NTP traffic only from trusted sources. Resolution ========== The vulnerability will be addressed in the following versions: -- ClearPass: 6.5.5, expected early January -- ArubaOS: 6.3.1.20, 6.4.2.14, 6.4.3.6, 6.4.4.3 (bug 127194) Obtaining Fixed Software ======================== Aruba customers can obtain software updates on the support website: http://support.arubanetworks.com Aruba Support contacts are as follows: +1-800-WiFiLAN (1-800-943-4526) (toll free from within North America) +1-408-754-1200 (toll call from anywhere in the world) The full contact list is at: http://www.arubanetworks.com/support-services/support-program/contact-support/ e-mail: support(at)arubanetworks.com Please do not contact "sirt(at)arubanetworks.com" for software upgrades. Revision History ================ Revision 1.0 / 2015-Nov-30 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to sirt(at)arubanetworks.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2015 by Aruba, a Hewlett Packard Enterprise company This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWW3ShAAoJEJj+CcpFhYbZ94YH/0/hKBXXrxsxbM5heK7BYw8c zPF7dOlwdrkhPtM9lArmHzIgpgbYqDTdmeq6Bp18nzanyI3dcG1J+ig1G4bc/diz tT2t0Lmi/Tyh+UaJCFb2pRDbxRYOONZKd1+xM4hSEm2C/Bwr57K3jYJ1VIxp9oT5 w0TgvjH2QHTQwqj92mzQxBlFo02BCB845jxKh4xiOAH8lNcC0PEXD/bn9JCPa7et 39Edazyi+37FN5+aPsP1RGI2s94vLUu05Y5YjXxIneBQqinyeZzcBhmH68TBOB/y jgnlOMxNDAtOOZLjudlVty6FxDiaRNas0N3uwyFRNRUwu7OWWnZUU96FPLaAoR0= =MLNQ -----END PGP SIGNATURE-----