-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Aruba Product Security Advisory
===============================

Advisory ID: ARUBA-PSA-2016-005
CVE: CVE-2016-2032
Publication Date: 2016-May-04
Status: Confirmed
Revision: 1


Title
=====
AirWave Management Platform Multiple Vulnerabilities
 

Overview
========
Multiple vulnerabilities exist in the AirWave Management Platform. The contents of this advisory 
are subject to an impending public disclosure by the Google Security Team under a 90-day 
disclosure deadline; therefore customers are advised to treat this advisory urgently.


Affected Products
=================

 -- AirWave Management Platform 8.x prior to 8.2


Details
=======

 RabbitMQ Management interface exposed (bug DE24504)
 ===================================================
 In AirWave 8.0, the management interface of an underlying system component called RabbitMQ
 was inadvertently exposed to the network through removal of a firewall rule. This interface
 listens on TCP port 15672 and 55672. Although the password for this interface is unique per
 AMP installation and not discoverable by an unauthorized user, this interface represents 
 additional attack surface that should not be exposed.

 CVSS Score: 2.2 (LOW) (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N)

 FIX: Fixed in AirWave 8.2.0.  The management interface is no longer exposed.


 XSRF token uses weak generation algorithm (bug DE21616)
 =======================================================
 Web management actions in AirWave must include a unique token that is generated at the time
 of each login.  This token is used to prevent cross-site request forgery (XSRF) attacks.
 It was discovered that the algorithm used to generate the token is based on a limited source
 of entropy. This could permit an attacker to guess the XSRF token during an attack, allowing
 the session to be hijacked.

 CVSS Score: 3.9 (LOW) (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L)

 FIX: Fixed in AirWave 8.0.11 and higher. The XSRF token now uses a cryptographically strong
  entropy source.


 Arbitrary modification of NTP configuration file (bug DE24387)
 ==============================================================
 Improper input validation allows an authenticated administrator to make arbitrary changes
 to the NTP configuration file. A malicious insider could use this capability to disrupt
 time synchronization.

 CVSS Score: 2.0 (LOW) (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N)

 FIX: Fixed in AirWave 8.0.11 and higher. Proper input validation is now performed, preventing
  arbitrary changes to the NTP configuration file.


 PAPI protocol is not secure
 ===========================
 PAPI (UDP port 8211) is used between Aruba mobility controllers and AirWave to transport
 AMON messages, used for reporting bulk wireless statistics. The protocol is not secure against
 a malicious user on the network:
  - MD5 message digests are not validated upon receipt
  - PAPI encrpytion protocol is weak
  - All Aruba devices use a common static key for message validation
 An attacker with access to the network between Aruba controllers and AMP could inject forged
 AMON messages, causing AirWave to record erroneous statistics. The companion document 
 "Control Plane Security Best Practices" contains a complete explanation of how PAPI is used 
 and the potential risks it exposes.

 CVSS Score: 3.1 (LOW) (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

 FIX: These flaws cannot be fixed quickly, and remain present in AMP 8.2. An update
  planned for Q3 2016 will change PAPI so that it operates within a secure channel such as DTLS
  or IPsec.


Resolution
==========
Upgrade to AirWave versions 8.2.0 or higher.


Credit
======
All issues in this advisory were discovered and reported by Sven Blumenstein of the Google 
Security Team.  The Aruba SIRT wishes to express its gratitude to Sven for the initial report
and the resulting dialog.


Revision History
================

      Revision 1 / 2016-May-04 / Initial release


Aruba SIRT Security Procedures
==============================

Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at:

http://www.arubanetworks.com/support-services/security-bulletins/
   
  
For reporting *NEW* Aruba Networks security issues, email can be sent to
sirt(at)arubanetworks.com. For sensitive information we encourage the use of 
PGP encryption. Our public keys can be found at:

http://www.arubanetworks.com/support-services/security-bulletins/


(c) Copyright 2016 by Aruba, a Hewlett Packard Enterprise company
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJXJ/ptAAoJEJj+CcpFhYbZtKEIALe7KPw2jLEObO/fuv4FKQEL
j46bBKl4oVeUujoWSasypSs2vjRoeIATfF5+rpg3c5885N80mwIKw9M96qtOcydt
QBwR0rh0IQnIitbJZlGoOkhLUXiRrs1bLaEon6YpgXfJTjmjpDiHKhcCo0XyON9K
dWwtdN/eYPQQQh8Jl//2T8fLbawg02lZw0AGwR4Ra9r4bEv4R+wuB50UwW3BZAPm
aiEtUuOAHIrZxvj3R/ZTfi9XyjKrTehKbQe0W0ROZVzXAFWIiDN93zHxFVsmaxaG
Rprq+At1HCc8dik6DlbCT1VraHXlb39kuHJn02FXj/EfzogM7PndYJJLePm4plY=
=PzFd
-----END PGP SIGNATURE-----