-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Aruba Product Security Advisory
===============================
Advisory ID: ARUBA-PSA-2017-001
CVE: CVE-2016-8526, CVE-2016-8527
Publication Date: 2017-Jan-18
Status: Confirmed
Revision: 1


Title
=====
AirWave Management Platform Multiple Vulnerabilities


Overview
========
This week, Aruba expects a security consulting firm to publicly disclose two
vulnerabilities in Aruba AirWave. The first is an XML External Entity (XXE)
vulnerability, while the second is a reflected cross-site scripting (XSS)
vulnerability. Both vulnerabilities exist in the VisualRF component of
AirWave. Both vulnerabilities require authentication using valid
administrative credentials.


Affected Products
=================
 -- AirWave (all versions up to, but not including, 8.2.3.1)


Details
=======
  XML External Entity Vulnerability (CVE-2016-8526)
  -------------------------------------------------
  XML external entities (XXE) are a way to permit XML parsers to access storage
  that exist on external systems. If an unprivileged user is permitted to
  control the contents of XML files, XXE can be used as an attack vector.
  Because the XML parser has access to the local filesystem and runs with
  the permissions of the web server, it can access any file that is readable
  by the web server and copy it to an external system of the attacker's
  choosing.  This could include files that contain passwords, which could
  then lead to privilege escalation.

  Certain files used by VisualRF can be uploaded by an authenticated
  administrative user, and these files may contain arbitrary XML code. Where
  a single administrator manages the entire AirWave system, the threat is
  very low (the AirWave administrator already has the root password to the
  AMP server) but in environments with users of different privilege levels,
  this vulnerability could allow a low-privilege user to obtain unauthorized
  access.

  Severity: MEDIUM
  CVSSv3 Overall Score: 4.5
  CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

  Discovery: This vulnerability was discovered by V. Harishkumar
  (harishkumar0394) and reported through the Bugcrowd managed bug bounty
  program. The vulnerability was independently discovered and reported by
  Pichaya Morimoto of SEC Consult (https://www.sec-consult.com/).


  Reflected Cross-Site Scripting (CVE-2016-8527)
  ----------------------------------------------
  A reflected cross-site scripting (XSS) vulnerability is present in the
  VisualRF component of AirWave. By exploiting this vulnerability, an attacker
  who can trick a logged-in AirWave administrative user into clicking a link
  could obtain sensitive information, such as session cookies or passwords.
  The vulnerability requires that an administrative users click on the
  malicious link while currently logged into AirWave in the same browser.

  Severity: MEDIUM
  CVSSv3 Overall Score: 4.5
  CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

  Discovery: This vulnerability was discovered by "fmast" and reported through
  the BugCrowd managed bug bounty program. The vulnerability was
  independently discovered and reported by Pichaya Morimoto of
  SEC Consult (https://www.sec-consult.com/).


Resolution
==========
This issue will be resolved in AirWave version 8.2.3.1, which is scheduled for
release by January 31, 2017.


Workarounds
===========
If all administrative users of the AirWave Management Platform have the same
privilege level, no workaround is needed to mitigate the XXE vulnerability.
If not, prevent low-privilege users from access VisualRF, particularly the
ability to upload files to the system. The use of firewall rules or ACLs to
control outbound communication from AirWave to other servers may also help,
although the nature of the threat as an "insider attack" means that blocking
communication at an Internet gateway may not be sufficient.

To mitigate the reflected XSS vulnerability, do not visit third-party websites
while logged into AirWave in the same browser. Always explicitly log out of
AirWave when finished with the session. Using a separate browser only for
network administration may help to further mitigate the vulnerability.


Revision History
================

      Revision 1 / 2017-Jan-18 / Initial release


Aruba SIRT Security Procedures
==============================

Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at:

http://www.arubanetworks.com/support-services/security-bulletins/


For reporting *NEW* Aruba Networks security issues, email can be sent to
aruba-sirt(at)hpe.com. For sensitive information we encourage the use of
PGP encryption. Our public keys can be found at:

http://www.arubanetworks.com/support-services/security-bulletins/


(c) Copyright 2017 by Aruba, a Hewlett Packard Enterprise company.
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYfnIDAAoJEJj+CcpFhYbZ1PcIAJLpW8+qBBYFYCuJQ7CnETvP
ZzDrbDCK2SRdrWz80t+ZTagJrx2prph7w610Nh0ZDBbt4ASTDC6MrGZbx03oPA7o
nwrK3inVInmIMSbqvChJbqnAaDU0jRoNyMPKOwGbyycbcf+JX8wNiRBCHI49ALmR
SMdyw8qxLsVRsOaIZ08cUML+csoibWRdfArnnp/hvAHUikqdsFZRI0ayVejxes7Q
t6F8BhKJ0I8TkpCH1JAZhBOrMLL+/VY07nNT4N0chVCpE0WND9T+cZj0zxSGJlQQ
gcYkQzdUddUjpyXP6RoCIpBamK3cxgF229gcSVuAQb0AeyTxo8Te2yqBLOgoH7A=
=P29D
-----END PGP SIGNATURE-----