-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Aruba Product Security Advisory
===============================

Advisory ID: ARUBA-PSA-2016-003
CVE: CVE-2016-2118
Publication Date: 2016-Apr-22
Status: Confirmed
Revision: 1


Title
=====
SAMR and LSA man in the middle attacks ("BADLOCK")
 

Overview
========
The MS-SAMR and MS-LSAD protocol implementations in Samba 3.x and 4.x before 4.2.11, 
4.3.x before 4.3.8, and 4.4.x before 4.4.2 mishandle DCERPC connections, which allows 
man-in-the-middle attackers to perform protocol-downgrade attacks and impersonate users 
by modifying the client-server data stream, aka "BADLOCK."


Affected Products
=================

 -- ClearPass Policy Manager (all versions)


Unaffected Products
===================

 -- ArubaOS (all versions)
 -- AirWave (all versions)
 -- Aruba Instant
 -- Aruba VIA
 -- Aruba Cloud Products (Activate, Central)
 -- Mobility Access Switch

Details
=======
A publicly-announced vulnerability in Samba could allow an attacker with the ability
to intercept traffic (man in the middle) between a ClearPass Policy Manager server
and a Windows Active Directory server to get read/write access to the Security Account
Manager database, which reveals all passwords and other potential sensitive information.

Resolution
==========
A hotfix patch for ClearPass 6.4.7, 6.5.5 and 6.6.0 has been made available to address 
this issue. 

Please use any of the methods listed below to install the patch.
 
Installing the Patch Online Using the Software Updates Portal:
1. Open ClearPass Policy Manager and go to Administration > Agents and Software 
Updates > Software Updates.
2. In the Firmware and Patch Updates area, find the 'ClearPass 6.x.x Hotfix Patch 
for CVE-2016-2118' patch and click the Download button in its row.
3. Click Install. 
4. When the installation is complete and the status is shown as Needs Restart, proceed 
to restart ClearPass. After reboot, the status for the patch will be shown as 
Installed. The ClearPass Policy Manager version number will not change. 
 
Installing the Patch Offline Using the Patch File from support.arubanetworks.com and HTTP:
1. Download the 'ClearPass 6.x.x Hotfix Patch for CVE-2016-2118' patch (6.x.x will 
actually be 6.4.7, 6.5.5 or 6.6.0 depending on your installation) from the Support site.
2. Post the patch file to a local HTTP server.
3. Open an SSH session to the ClearPass appliance using the 'appadmin' account.
4. Type 'system update -i <http location of the file>'
5. When the installation is complete, issue 'system restart'. After reboot, the 
status for the patch will be shown as Installed. The ClearPass Policy Manager version 
number will not change. 

Installing the Patch Offline Using the Patch File from support.arubanetworks.com and SCP:
1. Download the 'ClearPass 6.x.x Hotfix Patch for CVE-2016-2118' patch (6.x.x will 
actually be 6.4.7, 6.5.5 or 6.6.0 depending on your installation) from the Support site.
2. Post the patch file to a local SCP server.
3. Open an SSH session to the ClearPass appliance using the 'appadmin' account.
4. Type 'system update -i < user@<scp location of the file>'
5. When the installation is complete, issue 'system restart'. After reboot, the 
status for the patch will be shown as Installed. The ClearPass Policy Manager version 
number will not change. 

Installing the Patch Offline Using the Patch File from support.arubanetworks.com:
1. Download the 'ClearPass 6.x.x Hotfix Patch for CVE-2016-2118' patch (6.x.x will 
actually be 6.4.7, 6.5.5 or 6.6.0 depending on your installation) from the Support site.
2. Open the ClearPass Policy Manager Admin UI and go to Administration > Agents and 
Software Updates > Software Updates.
3. At the bottom of the Firmware and Patch Updates area, click Import Updates and 
browse to the downloaded patch file.
4. Click Install.
5. When the installation is complete and the status is shown as Needs Restart, proceed 
to restart ClearPass. After reboot, the status for the patch will be shown as 
Installed. The ClearPass Policy Manager version number will not change.

Revision History
================

      Revision 1 / 2016-Apr-22 / Initial release


Aruba SIRT Security Procedures
==============================

Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at:

http://www.arubanetworks.com/support-services/security-bulletins/
   
  
For reporting *NEW* Aruba Networks security issues, email can be sent to
sirt(at)arubanetworks.com. For sensitive information we encourage the use of 
PGP encryption. Our public keys can be found at:

http://www.arubanetworks.com/support-services/security-bulletins/


(c) Copyright 2016 by Aruba, a Hewlett Packard Enterprise company
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJXGpvCAAoJEJj+CcpFhYbZpccH/2bXFGgI9sNpSV+8jZQNDyrf
9T/FZ9B2AeEUu5n1+S6+20srm2awAfo1L6VW5vCVLIDoOhOuqgHkY4EHH/B/a8Bc
ICpnD2IXxyw9eBVy1oeQ6LiFRScSpn5DBz2A1LSn2SBtD0uWKtQj3A1/ZY2Qq8pP
dmp/FxjjRW+HgDQFgq7K+M70hPbYxLMIyEb04mivp8qFvDBtucOL/9d4+NOixpL0
KuHThvGmHAlPphQcUlVh1OXtPKKl/YaNvYxG7QYEeTBmzHkub4g7flCc90fnBvRA
UNKhyly8gj9ovJjYzjb+OlkP5y0a/HeEXz0P3A3Cxv3btWV9bdQBh/rEsHqx5NI=
=O38+
-----END PGP SIGNATURE-----