<<< Date Index >>>     <<< Thread Index >>>

Aruba Mobility Controller User Authentication Vulnerability - Aruba Advisory ID: AID-122207



Aruba Networks Security Advisory

Title: Aruba Mobility Controller User Authentication Vulnerability
Aruba Advisory ID: AID-122207
Revision: 1.0

Please see attached PGP signed file for details of the vulnerability.


-Robbie

---------------------
Robbie Gill
Aruba Networks
rgill@xxxxxxxxxxxxxxxxx 
----------------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Aruba Networks Security Advisory

Title: Aruba Mobility Controller User Authentication Vulnerability
Aruba Advisory ID: AID-122207
Revision: 1.0

For Public Release on 12/22/2007



SUMMARY

A user authentication vulnerability was discovered during standard bug
reporting procedures in the Aruba Mobility Controller.  This
vulnerability affects customers using versions at or below 2.3.6.15,
2.5.2.11, 2.5.4.25, 2.5.5.7, 3.1.1.3, and 2.4.8.11-FIPS using LDAP
authentication for management and VPN (PAP-L2TP) users.


DETAILS

Aruba Mobility Controllers may use external authentication methods to
authenticate administrative and VPN users.  A vulnerability in the
LDAP authentication component may allow unauthorized use of
LDAP-authenticated administrative and PAP-L2TP users.  LDAP is not the
default authentication method and must be configured as an
authentication method for users before it will be used.  By default,
administrative user accounts and passwords are kept in a local
database which is not vulnerable to this defect.  Other VPN
authentication methods supported by the Aruba Mobility Controller are
not vulnerable to this defect.


IMPACT

An attacker with access to the management or VPN interfaces of an
Aruba Mobility Controller and knowledge of an existing account may be
able to access the Aruba Mobility Controller with the access levels of
that account (for administrative users) or access the VPN services
(for VPN users).

CVSS BASE METRIC SCORE: 10


WORKAROUNDS

See Solution below.


SOLUTION

Aruba Networks recommends that all customers apply the appropriate
patche(es) as soon as practical.  However, in the event that a patch
cannot immediately be applied, the following steps will help to
mitigate the risk:

- - - Do not expose the Mobility Controller administrative interface to
untrusted networks such as the Internet.

- - - Disable LDAP authentication for administrative accounts until such
time as the patches can be applied.

- - - Disable LDAP authentication for VPN users until such time as the
patches can be applied.

- - - Disable anonymous binds in the LDAP server until such time as the
patches can be applied.


OBTAINING FIXED FIRMWARES

Aruba customers can obtain the firmware on the support website:
        http://www.arubanetworks.com/support. 
   
Aruba Support contacts are as follows:

        1-800-WiFiLAN (1-800-943-4526) (toll free from within North
        America)

        +1-408-754-1200 (toll call from anywhere in the world)

        e-mail: support(at)arubanetworks.com

Please, do not contact either "wsirt(at)arubanetworks.com" or 
"security(at)arubanetworks.com" for software upgrades.


EXPLOITATION AND PUBLIC ANNOUNCEMENTS

This vulnerability will be announced at 

Aruba W.S.I.R.T. Advisory:
http://www.arubanetworks.com/support/wsirt/alerts/aid-122207.asc

SecurityFocus Bugtraq
http://www.securityfocus.com/archive/1


STATUS OF THIS NOTICE: Final

Although Aruba Networks cannot guarantee the accuracy of all
statements in this advisory, all of the facts have been checked to the
best of our ability. Aruba Networks does not anticipate issuing
updated versions of this advisory unless there is some material change
in the facts. Should there be a significant change in the facts, Aruba
Networks may update this advisory.

A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.


DISTRIBUTION OF THIS ANNOUNCEMENT

This advisory will be posted on Aruba's website at:
http://www.arubanetworks.com/support/alerts/aid-122207.asc


Future updates of this advisory, if any, will be placed on Aruba's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.


REVISION HISTORY

      Revision 1.0 / 12-22-2007 / Initial release


ARUBA WSIRT SECURITY PROCEDURES

Complete information on reporting security vulnerabilities in Aruba
Wireless Networks products, obtaining assistance with security
incidents is available at
http://www.arubanetworks.com/support/wsirt.php
   
  
For reporting *NEW* Aruba Networks security issues, email can be sent
to wsirt(at)arubanetworks.com or security(at)arubanetworks.com. For
sensitive information we encourage the use of PGP encryption. Our
public keys can be found at
http://www.arubanetworks.com/support/wsirt.php


(c) Copyright 2007 by Aruba Networks, Inc.  This advisory may be
redistributed freely after the release date given at the top of the
text, provided that redistributed copies are complete and unmodified,
including all date and version information.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHfyZrp6KijA4qefURAmPFAJ9VphNGHopaely5LbikpgkDOGY+kwCg5FLg
I6tWd4xQF/WeABV+rFW2td4=
=nzLU
-----END PGP SIGNATURE-----