Aruba Networks Security Advisory - A persistent cross site scripting vulnerability was discovered where an attacker could plant an AP with a maliciously crafted SSID in the general vicinity of the wireless LAN and might be able to trigger a XSS vulnerability in the reporting sections of the ArubaOS and AirWave Administration WebUIs.
65c13bb632da606e6926e7c096d0d669b1d42968ee06e8bf0e6aa05eb4863634
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ADVISORY NUMBER AID-070611
Advisory # 1:
TITLE
Cross Site Scripting vulnerability in ArubaOS and AirWave
Administration Web Interfaces.
SUMMARY
A persistent Cross Site Scripting vulnerability (XSS) was discovered
where an attacker
could plant an AP with maliciously crafted SSID in the general
vicinity of the wireless LAN
and might be able to trigger a XSS vulnerability in the reporting
sections of the ArubaOS
and AirWave Administration WebUIs.
AFFECTED VERSIONS
- - ArubaOS 3.3.X, 3.4.X, 5.0.X, 6.0.X, 2.4.X-FIPS, 3.3.X-FIPS and
3.4.X-FIPS
- - AirWave 7.2.X
DETAILS
ArubaOS and AirWave maintain information on all wireless network SSIDs
and APs visible
on the wireless network and the general vicinity. This information is
used for security
and reporting purposes. An attacker could plant an AP with maliciously
crafted SSID and
might trigger a XSS vulnerability in certain sections of the ArubaOS
and AirWave
Administration WebUIs related to reporting.
This vulnerability would manifest when administrator would log in to
the WebUI and
browse to the reporting section. This vulnerability requires the
administrator
to be successfully logged in with valid credentials. However the
malicious AP does
not have to be beaconing the SSID continuously as the SSID information
is stored in the
controller for sometime for reporting purposes after it is first
observed.
IMPACT
An attacker could plant an AP with maliciously crafted SSID in the
general vicinity of the
wireless LAN and might trigger a XSS vulnerability in reporting
section of the ArubaOS and
AirWave WebUIs. This vulnerability could potentially be used to
execute commands on the
controller with admin credentials.
NOTE: This vulnerability manifests when the administrator is
successfully logged in with
valid credentials and browses to the affected reporting sections of
the ArubaOS and AirWave
WebUIs.
CVSS v2 BASE METRIC SCORE: 4.8 (AV:A/AC:L/AU:N/C:P/I:P/A:N)
WORKAROUNDS
Aruba Networks recommends that all customers apply the appropriate
patch(es) as soon
as practical.
SOLUTION
Aruba Networks recommends that all customers apply the appropriate
patch(es) as soon
as practical.
The following patches have the fix (any newer patch will also have the
fix):
- - ArubaOS 3.3.3.10
- - ArubaOS 3.4.4.2
- - ArubaOS 5.0.3.2
- - ArubaOS 6.0.1.1
- - ArubaOS 2.4.8.27-FIPS
- - ArubaOS 3.3.2.21-FIPS
- - ArubaOS 3.4.4.0-FIPS
- - AirWave 7.2.2
The FIPS releases noted above are currently undergoing FIPS
certification and are
available from Aruba on request.
Please note: We highly recommend that you upgrade your Mobility
Controller to the
latest available patch on the Aruba support site corresponding to your
currently
installed release.
+----------------------------------------------------
Advisory # 2:
TITLE
HTTP Response splitting vulnerability in ArubaOS Captive Portal Web
Interface
SUMMARY
A HTTP Response splitting vulnerability was discovered in ArubaOS's
Captive Portal Web
Interface where an attacker might be able to force authenticated
captive portal users to
bypass the custom welcome page post authentication and redirect them
to a site of
attacker's choice.
AFFECTED VERSIONS
- - ArubaOS 3.3.X, 3.4.X, 5.0.X, 6.0.X, 2.4.X-FIPS, 3.3.X-FIPS and
3.4.X-FIPS
DETAILS
ArubaOS allows for authenticated captive portal users to be redirected
to a custom welcome
web page post authentication. A HTTP Response splitting vulnerability
was discovered that
could be exploited by an attacker to force authenticated captive
portal users to completely
bypass the custom welcome page and be redirected to a website of
attacker's choice. Attacker
might achieve this by sending a maliciously crafted URL to the user in
an email. When user
clicks on the link and authenticates successfully to the captive
portal, he/she might be
redirected to a site of attacker's choice rather than the captive
portal's custom welcome
page.
This vulnerability does not affect the default captive portal
configuration where no custom
welcome page is used.
IMPACT
An attacker could force an authenticated captive portal user to be
redirected to a website of
attacker's choice rather than captive portal's custom welcome page.
For this vulnerability to
manifest, user would have to click on a maliciously crafted link and
then authenticate
successfully to the presented captive portal authentication page.
NOTE: Default captive portal configuration is NOT vulnerable to this
issue where no custom
welcome page is configured.
CVSS v2 BASE METRIC SCORE: 4.9 (AV:N/AC:M/AU:S/C:P/I:P/A:N)
HOW TO IDENTIFY IF YOU ARE VULNERABLE
If the following lines exist in your configuration for a particular
active captive portal
profile then you are vulnerable.
aaa authentication captive-portal <profile>
...
...
welcome-page <custom site>
!
WORKAROUNDS
Aruba Networks recommends that all customers apply the appropriate
patch(es) as soon
as practical. However, in the event that a patch cannot immediately
be applied, the
following steps will help to mitigate the risk:
- - Disable welcome page all together. This will result in users
directly landing at the site
they requested.
aaa authentication captive-portal <profile>
no enable-welcome-page
!
- - Disable custom welcome page. This will result in users being
presented with default Aruba
captive portal welcome page
aaa authentication captive-portal <profile>
no welcome-page
!
SOLUTION
Aruba Networks recommends that all customers apply the appropriate
patch(es) as soon
as practical.
The following patches have the fix (any newer patch will also have the
fix):
- - Aruba OS 3.3.3.10
- - Aruba OS 3.4.4.2
- - Aruba OS 5.0.3.2
- - Aruba OS 6.0.1.1
- - Aruba OS 2.4.8.27-FIPS
- - Aruba OS 3.3.2.21-FIPS
- - Aruba OS 3.4.4.0-FIPS
The FIPS releases noted above are currently undergoing FIPS
certification and are
available from Aruba on request.
Please note: We highly recommend that you upgrade your Mobility
Controller to the
latest available patch on the Aruba support site corresponding to your
currently
installed release.
+----------------------------------------------------
OBTAINING FIXED FIRMWARE
Aruba customers can obtain the firmware on the support website:
https://www.arubanetworks.com/support.
Aruba Support contacts are as follows:
1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)
+1-408-754-1200 (toll call from anywhere in the world)
e-mail: support(at)arubanetworks.com
Please, do not contact either "wsirt(at)arubanetworks.com" or
"security(at)arubanetworks.com" for software upgrades.
EXPLOITATION AND PUBLIC ANNOUNCEMENTS
This vulnerability will be announced at
Aruba W.S.I.R.T. Advisory:
https://www.arubanetworks.com/support/alerts/aid-070611.asc
SecurityFocus Bugtraq
https://www.securityfocus.com/archive/1
STATUS OF THIS NOTICE: Final
Although Aruba Networks cannot guarantee the accuracy of all statements
in this advisory, all of the facts have been checked to the best of our
ability. Aruba Networks does not anticipate issuing updated versions of
this advisory unless there is some material change in the facts. Should
there be a significant change in the facts, Aruba Networks may update
this advisory.
A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an
uncontrolled
copy, and may lack important information or contain factual errors.
DISTRIBUTION OF THIS ANNOUNCEMENT
This advisory will be posted on Aruba's website at:
https://www.arubanetworks.com/support/alerts/aid-070611.asc
Future updates of this advisory, if any, will be placed on Aruba's
worldwide
website, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
above URL for any updates.
REVISION HISTORY
Revision 1.0 / 07-06-2011 / Initial release
ARUBA WSIRT SECURITY PROCEDURES
Complete information on reporting security vulnerabilities in Aruba
Networks
products, obtaining assistance with security incidents is available at
https://www.arubanetworks.com/support-services/aruba-support-program/security-bulletins/
For reporting *NEW* Aruba Networks security issues, email can be sent to
wsirt(at)arubanetworks.com or security(at)arubanetworks.com. For sensitive
information we encourage the use of PGP encryption. Our public keys can be
found at
https://www.arubanetworks.com/support-services/aruba-support-program/security-bulletins/
(c) Copyright 2011 by Aruba Networks, Inc.
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - https://gpgtools.org
Comment: Using GnuPG with Mozilla - https://enigmail.mozdev.org/
iEYEARECAAYFAk4UoTUACgkQp6KijA4qefVfowCg806Rh3rtIda9/Ginr9c/Zn7h
MCkAoOiXcpTSac6VYGI1mFftnv58N1Qd
=DjI4
-----END PGP SIGNATURE-----