-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2016-004 CVE: CVE-2016-2031, CVE-2016-0801, CVE-2016-0802 Publication Date: 2016-May-04 Status: Confirmed Revision: 2 Title ===== Aruba Instant Multiple Vulnerabilities Overview ======== Multiple vulnerabilities exist in Aruba Instant. The contents of this advisory are subject to an impending public disclosure by the Google Security Team under a 90-day disclosure deadline; therefore customers are advised to treat this advisory urgently. Affected Products ================= -- Aruba Instant (all versions up to, but not including, 4.1.3.0 and 4.2.3.1) Details ======= Because all vulnerabilities described in this advisory are fixed in the same set of software releases, and are not separable, a single CVE number (CVE-2016-2031) is being used to track the entire set. Insecure transmission of login credentials (bug 134946) ======================================================= The username and password used to authenticate to the IAP's administrative interface are sent through HTTP GET, meaning that the username and password appear as a query string within the URL. This is not recommended, since it could lead to credentials being stored in browser history, server log files, or proxy log files. CVSS Score: 4.0 (MEDIUM) (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N) FIX: Fixed in IAP 4.1.3.0 and 4.2.3.1. Login credentials will now be sent using a POST. Presence of Engineering Support Mode with Static Password ========================================================= Aruba Instant contains a "support mode" that is accessed from within an authenticated administrative session. A static password, common to all Aruba Instant APs running a particular software version, is used to access this mode. Support mode provides additional configuration and diagnostic capabilities - some of which could result in physical damage to the AP hardware - and thus is intended to be accessed only by Aruba support personnel. This is not a backdoor password - support mode can only be accessed after establishing an authenticated SSH session using a valid credential. Aruba support personnel must obtain that credential, or be given access to a session that is already logged in, before they can access support mode. A malicious insider, with access to both a valid administrative password and the support mode password, could potentially change IAP configuration without those changes being subject to normal audit logging. FIX: Aruba does not consider this to be a vulnerability. However, the use of a static password that is common within a software release presents some concerns. Aruba is currently testing a new system that will generate a unique challenge-response each time support mode is accessed, and keep audit logs indicating how it is used. This system is expected to be rolled out in Q3 2016, concurrent with the release of ArubaOS 6.5. The feature is targeted for Instant release 4.3. Authenticated Remote Code Execution (bug 134952) ================================================ Insufficient checking of parameters allows an authenticated administrative user to execute commands on the IAP's underlying Linux operating system with root privileges. An attacker could use this vulnerability to obtain a root shell or run any other command with root privileges. CVSS Score: 6.0 (MEDIUM) (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L) FIX: Fixed in IAP 4.1.3.0 and 4.2.3.1. Proper validation is now done on input parameters. Execution of arbitrary RADIUS commands (bug 134953) =================================================== Insufficient checking of parameters allows an authenticated administrative user to execute arbitrary "raddb" commands, affecting the embedded FreeRADIUS server. This could allow an attacker to change the configuration of the FreeRADIUS server. CVSS Score: 2.0 (LOW) (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N) FIX: Fixed in IAP 4.1.3.0 and 4.2.3.1. Proper validation is now done on input parameters. Unauthenticated disclosure of environment variables (bug 134954) ================================================================ It is possible to obtain a listing of environment variables by requesting a specific URL from the IAP's web server. This does not require authentication. The information disclosed is not considered sensitive. CVSS Score: 3.6 (LOW) (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/CR:L) FIX: Fixed in IAP 4.1.3.0 and 4.2.3.1. The "printenv" opcode was unneeded and has been removed. Unauthenticated automated firmware update request (bug 134956) ============================================================== A failure to properly validate a session ID would allow an unauthenticated network user to initiate a firmware update to the IAP by invoking the automatic firmware update command. Although the IAP will only run firmware images that are digitally signed, exploitation of this vulnerability could lead to a reboot of an IAP cluster and could cause unplanned outages. CVSS Score: 6.5 (MEDIUM) (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L) FIX: Fixed in IAP 4.1.3.0 and 4.2.3.1. The session ID is now properly validated. Firmware update procedure does not validate server certificate (bug 134957) =========================================================================== In a previous IAP release, behavior was intentionally introduced that would allow the IAP to communicate with cloud-based services such as "device.arubanetworks.com" (used for downloading new firmware images) without validating the TLS server certificate. This behavior occurred after the IAP attempted and failed multiple times to validate the server certificate - the behavior was intended to avoid a situation where an expired CA certificate would prevent the IAP from downloading a new software image that would replace the expired CA. When communicating with the cloud service without verifying the server certificate, only a firmware download was permitted; no other activity was permitted to take place over that TLS session. This behavior unfortunately also permitted a man-in-the-middle attack to be carried out. Within the TLS session, it was possible to instruct the IAP to download any firmware image available on Aruba's download server. Through a command known as "mandatory update", the IAP could be forced to downgrade its software image. Although the risk of compromise is low from this behavior, sufficient concerns were raised that the behavior is being changed. In the updated software, the IAP will only proceed with connecting to cloud services without validating a server certificate while in the factory-default configuration - a user will need to press and hold the reset button to set this condition. With the new behavior, the IAP can still recover from a server certificate failure, but existing configuration on the system will not be put at risk. CVSS Score: 3.7 (LOW) CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L FIX: Fixed in IAP 4.1.3.0 and 4.2.3.1. IAP contains certificate and private key ======================================== IAPs (and mobility controllers) ship with a default certificate used for captive portal and WebUI ("securelogin.arubanetworks.com"). The private key for this certificate is stored unencrypted on the IAP's filesystem. Although Aruba has previously warned against using the factory default certificate in production networks, this serves as a good reminder. The default certificate should ALWAYS be replaced with a customer-generated certificate. FIX: A future software update will remove all default certificates issued from a public CA. They will be replaced with self-signed certificates, generated uniquely per device. PAPI protocol listener exposed on all interfaces (bug 134965) ============================================================= PAPI is the control protocol used between cluster members in an IAP cluster. This protocol is not intended to be cryptographically secure - it should be used only over networks that are generally trusted. Through testing, it was discovered that the PAPI protocol listener was bound to all interfaces of the IAP, including wireless interfaces. In addition, it was not possible to use firewall rules within the IAP to block PAPI. Thus, in situations where the network was NOT generally trusted, it was impossible to disable PAPI. Aruba has published a companion security advisory document entitled "Control Plane Security Best Practices" which contains a more complete explanation of how PAPI is used and the potential risks it exposes. CVSS Score: 6.5 (MEDIUM) (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L) FIX: Fixed in IAP 4.1.3.0 and 4.2.3.1. In the updated software, firewall rules are not auto-populated to permit PAPI when the IAP is in standalone mode. In non-standalone mode, a configuration knob has been added to disable auto-population of firewall rules to allow PAPI. When this knob is enabled, PAPI may be selectively permitted or blocked using firewall rules. PAPI protocol is not secure =========================== The PAPI protocol contains a number of unremediated flaws, including: - MD5 message digests are not properly validated upon receipt - PAPI encrpytion protocol is weak - All Aruba devices use a common static key for message validation The companion document "Control Plane Security Best Practices" contains a complete explanation of how PAPI is used and the potential risks it exposes. CVSS Score: 7.5 (HIGH) (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) FIX: These flaws cannot be fixed quickly, and remain present in 4.1.3.0 and 4.2.3.1. An update planned for Q3 2016 will change PAPI so that it operates within a secure channel such as DTLS or IPsec. PAPI authentication bypass (bug 134971) ======================================= PAPI is also used for inter-process communication within an IAP. In this mode, messages contain a session ID to ensure that a valid administrative session is logged in to the WebUI. A flaw was discovered where the session ID is not properly validated. An attacker can exploit this vulnerability to execute commands on the IAP, including downloading the complete configuration file, without authentication. CVSS Score: 8.1 (HIGH) (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) FIX: Fixed in IAP 4.1.3.0 and 4.2.3.1. The session ID is now properly validated. LLDP Information Disclosure (bug 134972) ======================================== The IAP implementation of LLDP transmits the MAC address, model number, and software version number to LLDP peers. Transmission of the software version number was viewed as information disclosure without a compelling reason to do so. CVSS Score: 3.6 (LOW) (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/CR:L) FIX: Fixed in IAP 4.1.3.0 and 4.2.3.1. The software version string has been removed from LLDP messages. User passwords encrypted with a static key ========================================== All passwords in an IAP configuration file are stored using reversible encryption. The encryption key is common across all IAP deployments. The reason reversible encryption is used rather than one-way hashing is so that Wi-Fi authentication using WPA2/PEAP-MSCHAPv2 may be performed using these passwords - MSCHAPv2 requires that the IAP have access to the cleartext password. The configuration file should never be exposed to an attacker. Although the encryption key used to encrypt passwords in the config file is obfuscated in the object code, a determined attacker may be able to learn this key through reverse engineering, and subsequently use this key to recover passwords from a stolen configuration file. FIX: Aruba does not consider this a vulnerability, but the behavior does not follow industry best practices for security and defense-in-depth. An update planned for Q3 2016 will separate storage of management passwords from user passwords. Management passwords will be stored as a one-way hash, using PBKDF2. Those passwords may not be used with PEAP-MSCHAPv2. User passwords (intended for authenticating wireless users when RADIUS is not employed) will still be stored using reversible encryption. Remote Code Execution Vulnerability in Broadcom Wi-Fi Driver (CVE-2016-0801, CVE-2016-0802) =========================================================================================== The Broadcom Wi-Fi driver used in the IAP-2xx series access points allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted wireless control message packets. The attacker must be joined to the network (wired or wireless) - this vulnerability may not be exercised by an unauthenticated user against a WPA2 network. CVSS Score: 4.9 (MEDIUM) (AV:A/AC:M/Au:S/C:P/I:P/A:P) Discovery: This vulnerability was publicly announced. Fix: Fixed IAP 4.1.3.0 and 4.2.3.1. Resolution ========== Upgrade to IAP version 4.2.3.1 or 4.1.3.0. Credit ====== All issues in this advisory were discovered and reported by Sven Blumenstein of the Google Security Team. The Aruba SIRT wishes to express its gratitude to Sven for the initial report and the resulting dialog. Revision History ================ Revision 1 / 2016-May-04 / Initial release Revision 2 / 2016-May-11 / Updated to include CVE-2016-0801, CVE-2016-0802 Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to sirt(at)arubanetworks.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2016 by Aruba, a Hewlett Packard Enterprise company This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXLPAwAAoJEJj+CcpFhYbZRaUIAJ3hU982mgX41f4wbYGJFWJG gattud5Fekwdkgjs5pbIEyICuqEQ1QiPIni7pNiXULkuVcjl8QycAKOnIwobuDQR cv7BXm/28Ce7hjyupaGVekK9CdEK7cSakBEeGqxTyYeZOXhwbRV+LHsYe5loMFYh 8N/n1ncCtVGhKepg0DCJSOT2lpC9rgCk2Q1E7pLzVpnTDmhR8LNyGeCY6ptWC/Yd VztzFV01maoJHCfwMT8S8S+IqP7gpB3scE0JAIBEHJr5QvITpfd1QK+09PnRGFss i5Kf+F++hVY3nFmbbzvsXbEooJih9E3qpcHZygbQXrIl+msm+sMTmpRBsIywpdc= =qCTO -----END PGP SIGNATURE-----