-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2015-011 CVE: CVE-2015-5437  Publication Date: 2015-Nov-30 Status: Confirmed Revision: 1 Title ===== ArubaOS Multiple Vulnerabilities Overview ======== This advisory covers three vulnerabilities in ArubaOS: - Reflected Cross-Site Scripting - Cross-Site Request Forgery - Crafted frame causes AP-225 reboot Affected Products ================= -- ArubaOS 6.3 up to, but not including, 6.3.1.19 -- ArubaOS 6.4 up to, but not including, 6.4.2.13 and 6.4.3.4 Details ======= Reflected Cross-Site Scripting ------------------------------ A reflected cross-site scripting vulnerability is present in the a monitoring page in the WebUI. If an administrator were tricked into clicking on a malicious URL while logged into an Aruba controller's management interface, this vulnerability could potentially reveal a session cookie. Severity: Low CVSSv2 Overall Score: 3.6 CVSSv2 Vector: (AV:N/AC:H/Au:S/C:P/I:P/A:N) Discovery: This vulnerability was posted to a public website. The author did not practice responsible disclosure by coordinating with Aruba Networks. Aruba does not provide public acknowledgement for irresponsible vulnerability disclosure. Cross-Site Request Forgery (CVE-2015-5437) ------------------------------------------- Most configuration-related pages in the ArubaOS management UI are protected against cross-site request forgery (CSRF) through the use of a unique, random token. It was found that certain operations which could reveal sensitive information, such as the controller configuration file, were not protected against CSRF. If an administrator were tricked into clicking on a malicious URL while logged into an Aruba controller's management interface, this vulnerability could leak sensitive information to an attacker. Severity: Low CVSSv2 Overall Score: 3.6 CVSSv2 Vector: (AV:N/AC:H/Au:S/C:P/I:P/A:N) Discovery: This vulnerability was posted to a public website. The author did not practice responsible disclosure by coordinating with Aruba Networks. Aruba does not provide public acknowledgement for irresponsible vulnerability disclosure. Crafted Frame Causes AP-225 Reboot ---------------------------------- Sending a specific malformed wireless frame to an AP-225 may cause the AP to reboot. Aruba inadvertently documented this in ArubaOS release notes before a security advisory could be issued. We regret the error and have taken steps to prevent future accidental disclosures of availability threats. Severity: Medium CVSSv2 Overall Score: 4.3 CVSSv2 Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Discovery: This issue was discovered through a customer TAC case. Workarounds =========== -- While actively managing an Aruba controller through the WebUI, be cautious about clicking on links in emails or on questionable web pages. -- Using separate browsers to access the Aruba WebUI and other websites will mitigate XSS and CSRF issues. Resolution ========== The vulnerabilities have been addressed in the following versions: -- ArubaOS 6.3.1.19 -- ArubaOS 6.4.2.13 -- ArubaOS 6.4.3.4 -- ArubaOS 6.4.4.0 Obtaining Fixed Software ======================== Aruba customers can obtain software updates on the support website: http://support.arubanetworks.com Aruba Support contacts are as follows: +1-800-WiFiLAN (1-800-943-4526) (toll free from within North America) +1-408-754-1200 (toll call from anywhere in the world) The full contact list is at: http://www.arubanetworks.com/support-services/support-program/contact-support/ e-mail: support(at)arubanetworks.com Please do not contact "sirt(at)arubanetworks.com" for software upgrades. Revision History ================ Revision 1.0 / 2015-Nov-30 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to sirt(at)arubanetworks.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2015 by Aruba, a Hewlett Packard Enterprise company This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWW3TGAAoJEJj+CcpFhYbZKvcH/26cN2N6z7g2yO69w/fAN8mo 9BZaw65Qf/gzLUU24bMNUUIBoDNC5rNzZg+9WDWfqtY3C1Fr8zj+tfqYBEqjhDKG FNewTb7rYC7jGUCuj1IYTUzLi4hsNzjlYZ2u00oEX77wqFoUrienQ/CzXGI2shLe Lk+hUg008IoSX5PHmAeDY0fS9nZqQiL1ceXDyrRiLwKvg+hjc/UB2AHcMHsWAXA7 Vgy0ZZ1/9TgWnPwUQuktEFxPFiWYLuw4g3xyEYyrohwYdG0T8j1CVfXwFkpQD05I nm2KD1DoQoB4FRHyCNoMQjO/gpvf/BD3wToM9yV4NUrGHt+g3OD934rWatC7ZEE= =KAL1 -----END PGP SIGNATURE-----