-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2017-001 CVE: CVE-2016-8526, CVE-2016-8527 Publication Date: 2017-Jan-18 Status: Confirmed Revision: 1 Title ===== AirWave Management Platform Multiple Vulnerabilities Overview ======== This week, Aruba expects a security consulting firm to publicly disclose two vulnerabilities in Aruba AirWave. The first is an XML External Entity (XXE) vulnerability, while the second is a reflected cross-site scripting (XSS) vulnerability. Both vulnerabilities exist in the VisualRF component of AirWave. Both vulnerabilities require authentication using valid administrative credentials. Affected Products ================= -- AirWave (all versions up to, but not including, 8.2.3.1) Details ======= XML External Entity Vulnerability (CVE-2016-8526) ------------------------------------------------- XML external entities (XXE) are a way to permit XML parsers to access storage that exist on external systems. If an unprivileged user is permitted to control the contents of XML files, XXE can be used as an attack vector. Because the XML parser has access to the local filesystem and runs with the permissions of the web server, it can access any file that is readable by the web server and copy it to an external system of the attacker's choosing. This could include files that contain passwords, which could then lead to privilege escalation. Certain files used by VisualRF can be uploaded by an authenticated administrative user, and these files may contain arbitrary XML code. Where a single administrator manages the entire AirWave system, the threat is very low (the AirWave administrator already has the root password to the AMP server) but in environments with users of different privilege levels, this vulnerability could allow a low-privilege user to obtain unauthorized access. Severity: MEDIUM CVSSv3 Overall Score: 4.5 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N Discovery: This vulnerability was discovered by V. Harishkumar (harishkumar0394) and reported through the Bugcrowd managed bug bounty program. The vulnerability was independently discovered and reported by Pichaya Morimoto of SEC Consult (https://www.sec-consult.com/). Reflected Cross-Site Scripting (CVE-2016-8527) ---------------------------------------------- A reflected cross-site scripting (XSS) vulnerability is present in the VisualRF component of AirWave. By exploiting this vulnerability, an attacker who can trick a logged-in AirWave administrative user into clicking a link could obtain sensitive information, such as session cookies or passwords. The vulnerability requires that an administrative users click on the malicious link while currently logged into AirWave in the same browser. Severity: MEDIUM CVSSv3 Overall Score: 4.5 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N Discovery: This vulnerability was discovered by "fmast" and reported through the BugCrowd managed bug bounty program. The vulnerability was independently discovered and reported by Pichaya Morimoto of SEC Consult (https://www.sec-consult.com/). Resolution ========== This issue will be resolved in AirWave version 8.2.3.1, which is scheduled for release by January 31, 2017. Workarounds =========== If all administrative users of the AirWave Management Platform have the same privilege level, no workaround is needed to mitigate the XXE vulnerability. If not, prevent low-privilege users from access VisualRF, particularly the ability to upload files to the system. The use of firewall rules or ACLs to control outbound communication from AirWave to other servers may also help, although the nature of the threat as an "insider attack" means that blocking communication at an Internet gateway may not be sufficient. To mitigate the reflected XSS vulnerability, do not visit third-party websites while logged into AirWave in the same browser. Always explicitly log out of AirWave when finished with the session. Using a separate browser only for network administration may help to further mitigate the vulnerability. Revision History ================ Revision 1 / 2017-Jan-18 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2017 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJYfnIDAAoJEJj+CcpFhYbZ1PcIAJLpW8+qBBYFYCuJQ7CnETvP ZzDrbDCK2SRdrWz80t+ZTagJrx2prph7w610Nh0ZDBbt4ASTDC6MrGZbx03oPA7o nwrK3inVInmIMSbqvChJbqnAaDU0jRoNyMPKOwGbyycbcf+JX8wNiRBCHI49ALmR SMdyw8qxLsVRsOaIZ08cUML+csoibWRdfArnnp/hvAHUikqdsFZRI0ayVejxes7Q t6F8BhKJ0I8TkpCH1JAZhBOrMLL+/VY07nNT4N0chVCpE0WND9T+cZj0zxSGJlQQ gcYkQzdUddUjpyXP6RoCIpBamK3cxgF229gcSVuAQb0AeyTxo8Te2yqBLOgoH7A= =P29D -----END PGP SIGNATURE-----