-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2016-007 CVE: CVE-2016-0801, CVE-2016-0802, CVE-2015-8605 Publication Date: 2016-05-11 Status: Confirmed, Fixed Revision: 1 Title ===== ArubaOS Multiple Vulnerabilities Overview ======== Multiple vulnerabilities have recently been fixed in ArubaOS. Affected Products ================= -- ArubaOS 6.3 -- ArubaOS 6.4.2.x prior to 6.4.2.16 -- ArubaOS 6.4.3.x prior to 6.4.3.7 -- ArubaOS 6.4.4.x prior to 6.4.4.5 Details ======= Buffer Over-read Leads to Information Disclosure ----------------------------------------------- A buffer over-read vulnerability allows an unauthenticated user to read from uninitialized memory locations. Based on analysis of the flaw, Aruba does not believe that this memory is likely to contain sensitive information. Severity: Low CVSSv2 Overall Score: 2.9 CVSSv2 Vector: (AV:A/AC:M/Au:N/C:P/I:N/A:N) Discovery: This vulnerability was discovered and reported by Roden Delves of Telstra. Fix: Fixed in 6.4.2.14, 6.4.3.7, and 6.4.4.3. Remote Code Execution Vulnerability in Broadcom Wi-Fi Driver (CVE-2016-0801, CVE-2016-0802) ------------------------------------------------------------------------------------------- The Broadcom Wi-Fi driver used in the AP-2xx series access points allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted wireless control message packets. The attacker must be joined to the network (wired or wireless) - this vulnerability may not be exercised by an unauthenticated user against a WPA2 network. Tunnel mode (the default operating mode for ArubaOS) is not affected, since wireless frames are not processed by the Broadcom driver in this mode of operation. APs configured for D-Tunnel mode or local bridging mode are affected. If an AP2xx is deployed as a RAP with local bridging of Wi-Fi traffic, it is also affected. Severity: Medium CVSSv2 Overall Score: 4.9 CVSSv2 Vector: (AV:A/AC:M/Au:S/C:P/I:P/A:P) Discovery: This vulnerability was publicly announced. Fix: Fixed in 6.3.1.20, 6.4.2.16, 6.4.3.7, and 6.4.4.5 DHCP Denial of Service Vulnerability (CVE-2015-8605) ---------------------------------------------------- A flaw in the ISC DHCP server allows remote attackers to cause a denial of service (application crash) via an invalid length field in a UDP IPv4 packet. The flawed DHCP server is incorporated into ArubaOS. If the DHCP server is enabled in an Aruba mobility controller, an attacker could cause it to crash. ArubaOS would automatically restart the process. However, DHCP services would be disrupted temporarily. Severity: Low CVSSv2 Overall Score: 2.9 CVSSv2 Vector: (AV:A/AC:M/Au:N/C:N/I:N/A:P) Discovery: This vulnerability was publicly announced. Fix: Fixed in 6.3.1.21, 6.4.2.16, 6.4.3.7, and 6.4.4.5 Solution ======== Upgrade to one of the following software versions: -- ArubaOS 6.3.1.21 or later -- ArubaOS 6.4.2.16 or later -- ArubaOS 6.4.3.7 or later -- ArubaOS 6.4.4.5 or later Note: ArubaOS 5.x, 6.1.x, and 6.2.x are no longer being actively developed, and security patches are produced by default only for high-severity issues. Customers who require patches for older versions should contact Aruba Technical Support to make that request. Obtaining Fixed Software ======================== Aruba customers can obtain software updates on the support website: http://support.arubanetworks.com Aruba Support contacts are as follows: +1-800-WiFiLAN (1-800-943-4526) (toll free from within North America) +1-408-754-1200 (toll call from anywhere in the world) The full contact list is at: http://www.arubanetworks.com/support-services/support-program/contact-support/ e-mail: support(at)arubanetworks.com Please do not contact "sirt(at)arubanetworks.com" for software upgrades. Revision History ================ Revision 1.0 / 2016-May-11 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to sirt(at)arubanetworks.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2016 by Aruba, a Hewlett Packard Enterprise company This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXM1tRAAoJEJj+CcpFhYbZ07UH/3GnIBJtsZpWRV9Szuv1mJfw WXecWklPwB+ezXZnBTiOEf00lC29ZxMqU8vAMxqFYfMbi4Wb4yvtLPKpdb2mwAtX eaYIXcAic61CVpIZnlLhf3G0Ja++e61BJsdUesxLllgAqVtKPjPvAIzYg0UC1fBf otEU625k6Ln9c9xmw9U/K5k4rIvhfo1AN675mZ49ir6VsK2hFpxQ1AJgR+h3ix2Y auz690ZLIKHl46u63ABsTExuZPHQLZ2xsrg2qZU3sq4WxfHnM0TP2E2XDDUgbPO+ 6WB8yWx1u3+NOCGBdaz/gBgC4NmMl5QM08iRl/a3+lFsZTFX4a0yJ4ee6HXe9p0= =U8PJ -----END PGP SIGNATURE-----