exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Aruba Networks Security Advisory - 070611

Aruba Networks Security Advisory - 070611
Posted Jul 8, 2011
Site arubanetworks.com

Aruba Networks Security Advisory - A persistent cross site scripting vulnerability was discovered where an attacker could plant an AP with a maliciously crafted SSID in the general vicinity of the wireless LAN and might be able to trigger a XSS vulnerability in the reporting sections of the ArubaOS and AirWave Administration WebUIs.

tags | advisory, xss
SHA-256 | 65c13bb632da606e6926e7c096d0d669b1d42968ee06e8bf0e6aa05eb4863634

Aruba Networks Security Advisory - 070611

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


ADVISORY NUMBER AID-070611


Advisory # 1:

TITLE

Cross Site Scripting vulnerability in ArubaOS and AirWave
Administration Web Interfaces.

SUMMARY

A persistent Cross Site Scripting vulnerability (XSS) was discovered
where an attacker
could plant an AP with maliciously crafted SSID in the general
vicinity of the wireless LAN
and might be able to trigger a XSS vulnerability in the reporting
sections of the ArubaOS
and AirWave Administration WebUIs.

AFFECTED VERSIONS

- - ArubaOS 3.3.X, 3.4.X, 5.0.X, 6.0.X, 2.4.X-FIPS, 3.3.X-FIPS and
3.4.X-FIPS
- - AirWave 7.2.X



DETAILS

ArubaOS and AirWave maintain information on all wireless network SSIDs
and APs visible
on the wireless network and the general vicinity. This information is
used for security
and reporting purposes. An attacker could plant an AP with maliciously
crafted SSID and
might trigger a XSS vulnerability in certain sections of the ArubaOS
and AirWave
Administration WebUIs related to reporting.

This vulnerability would manifest when administrator would log in to
the WebUI and
browse to the reporting section. This vulnerability requires the
administrator
to be successfully logged in with valid credentials. However the
malicious AP does
not have to be beaconing the SSID continuously as the SSID information
is stored in the
controller for sometime for reporting purposes after it is first
observed.


IMPACT

An attacker could plant an AP with maliciously crafted SSID in the
general vicinity of the
wireless LAN and might trigger a XSS vulnerability in reporting
section of the ArubaOS and
AirWave WebUIs. This vulnerability could potentially be used to
execute commands on the
controller with admin credentials.

NOTE: This vulnerability manifests when the administrator is
successfully logged in with
valid credentials and browses to the affected reporting sections of
the ArubaOS and AirWave
WebUIs.

CVSS v2 BASE METRIC SCORE: 4.8 (AV:A/AC:L/AU:N/C:P/I:P/A:N)

WORKAROUNDS

Aruba Networks recommends that all customers apply the appropriate
patch(es) as soon
as practical.


SOLUTION

Aruba Networks recommends that all customers apply the appropriate
patch(es) as soon
as practical.

The following patches have the fix (any newer patch will also have the
fix):

- - ArubaOS 3.3.3.10
- - ArubaOS 3.4.4.2
- - ArubaOS 5.0.3.2
- - ArubaOS 6.0.1.1
- - ArubaOS 2.4.8.27-FIPS
- - ArubaOS 3.3.2.21-FIPS
- - ArubaOS 3.4.4.0-FIPS

- - AirWave 7.2.2

The FIPS releases noted above are currently undergoing FIPS
certification and are
available from Aruba on request.

Please note: We highly recommend that you upgrade your Mobility
Controller to the
latest available patch on the Aruba support site corresponding to your
currently
installed release.

+----------------------------------------------------


Advisory # 2:

TITLE

HTTP Response splitting vulnerability in ArubaOS Captive Portal Web
Interface

SUMMARY

A HTTP Response splitting vulnerability was discovered in ArubaOS's
Captive Portal Web
Interface where an attacker might be able to force authenticated
captive portal users to
bypass the custom welcome page post authentication and redirect them
to a site of
attacker's choice.


AFFECTED VERSIONS

- - ArubaOS 3.3.X, 3.4.X, 5.0.X, 6.0.X, 2.4.X-FIPS, 3.3.X-FIPS and
3.4.X-FIPS


DETAILS

ArubaOS allows for authenticated captive portal users to be redirected
to a custom welcome
web page post authentication. A HTTP Response splitting vulnerability
was discovered that
could be exploited by an attacker to force authenticated captive
portal users to completely
bypass the custom welcome page and be redirected to a website of
attacker's choice. Attacker
might achieve this by sending a maliciously crafted URL to the user in
an email. When user
clicks on the link and authenticates successfully to the captive
portal, he/she might be
redirected to a site of attacker's choice rather than the captive
portal's custom welcome
page.

This vulnerability does not affect the default captive portal
configuration where no custom
welcome page is used.

IMPACT

An attacker could force an authenticated captive portal user to be
redirected to a website of
attacker's choice rather than captive portal's custom welcome page.
For this vulnerability to
manifest, user would have to click on a maliciously crafted link and
then authenticate
successfully to the presented captive portal authentication page.

NOTE: Default captive portal configuration is NOT vulnerable to this
issue where no custom
welcome page is configured.


CVSS v2 BASE METRIC SCORE: 4.9 (AV:N/AC:M/AU:S/C:P/I:P/A:N)


HOW TO IDENTIFY IF YOU ARE VULNERABLE

If the following lines exist in your configuration for a particular
active captive portal
profile then you are vulnerable.

aaa authentication captive-portal <profile>
...
...
welcome-page <custom site>
!


WORKAROUNDS

Aruba Networks recommends that all customers apply the appropriate
patch(es) as soon
as practical. However, in the event that a patch cannot immediately
be applied, the
following steps will help to mitigate the risk:

- - Disable welcome page all together. This will result in users
directly landing at the site
they requested.

aaa authentication captive-portal <profile>
no enable-welcome-page
!

- - Disable custom welcome page. This will result in users being
presented with default Aruba
captive portal welcome page

aaa authentication captive-portal <profile>
no welcome-page
!


SOLUTION

Aruba Networks recommends that all customers apply the appropriate
patch(es) as soon
as practical.

The following patches have the fix (any newer patch will also have the
fix):

- - Aruba OS 3.3.3.10
- - Aruba OS 3.4.4.2
- - Aruba OS 5.0.3.2
- - Aruba OS 6.0.1.1
- - Aruba OS 2.4.8.27-FIPS
- - Aruba OS 3.3.2.21-FIPS
- - Aruba OS 3.4.4.0-FIPS


The FIPS releases noted above are currently undergoing FIPS
certification and are
available from Aruba on request.

Please note: We highly recommend that you upgrade your Mobility
Controller to the
latest available patch on the Aruba support site corresponding to your
currently
installed release.



+----------------------------------------------------

OBTAINING FIXED FIRMWARE

Aruba customers can obtain the firmware on the support website:
https://www.arubanetworks.com/support.

Aruba Support contacts are as follows:

1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)

+1-408-754-1200 (toll call from anywhere in the world)

e-mail: support(at)arubanetworks.com

Please, do not contact either "wsirt(at)arubanetworks.com" or
"security(at)arubanetworks.com" for software upgrades.


EXPLOITATION AND PUBLIC ANNOUNCEMENTS

This vulnerability will be announced at

Aruba W.S.I.R.T. Advisory:
https://www.arubanetworks.com/support/alerts/aid-070611.asc

SecurityFocus Bugtraq
https://www.securityfocus.com/archive/1


STATUS OF THIS NOTICE: Final

Although Aruba Networks cannot guarantee the accuracy of all statements
in this advisory, all of the facts have been checked to the best of our
ability. Aruba Networks does not anticipate issuing updated versions of
this advisory unless there is some material change in the facts. Should
there be a significant change in the facts, Aruba Networks may update
this advisory.

A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an
uncontrolled
copy, and may lack important information or contain factual errors.


DISTRIBUTION OF THIS ANNOUNCEMENT

This advisory will be posted on Aruba's website at:
https://www.arubanetworks.com/support/alerts/aid-070611.asc



Future updates of this advisory, if any, will be placed on Aruba's
worldwide
website, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
above URL for any updates.


REVISION HISTORY

Revision 1.0 / 07-06-2011 / Initial release


ARUBA WSIRT SECURITY PROCEDURES

Complete information on reporting security vulnerabilities in Aruba
Networks
products, obtaining assistance with security incidents is available at

https://www.arubanetworks.com/support-services/aruba-support-program/security-bulletins/


For reporting *NEW* Aruba Networks security issues, email can be sent to
wsirt(at)arubanetworks.com or security(at)arubanetworks.com. For sensitive
information we encourage the use of PGP encryption. Our public keys can be
found at

https://www.arubanetworks.com/support-services/aruba-support-program/security-bulletins/


(c) Copyright 2011 by Aruba Networks, Inc.
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - https://gpgtools.org
Comment: Using GnuPG with Mozilla - https://enigmail.mozdev.org/

iEYEARECAAYFAk4UoTUACgkQp6KijA4qefVfowCg806Rh3rtIda9/Ginr9c/Zn7h
MCkAoOiXcpTSac6VYGI1mFftnv58N1Qd
=DjI4
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close