Aruba Mobility Controller TACACS User Authentication and Cross Site Scripting Vulnerabilities (Aruba Advisory ID: AID-051408)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Aruba Networks Security Advisory
Title: Aruba Mobility Controller TACACS User Authentication and Cross
Site Scripting Vulnerabilities
Aruba Advisory ID: AID-051408
Revision: 1.0
For Public Release on 05/14/2008
+----------------------------------------------------
1.)
TITLE: Mobility Controller TACACS User Authentication Vulnerability
SUMMARY
A user authentication vulnerability was discovered during standard bug
reporting procedures in the Aruba Mobility Controller. This
vulnerability only affects customers using TACACS authentication for
Controller management users.
AFFECTED ArubaOS VERSIONS
~ 3.1.1.x, 3.2.0.x, 3.3.1.x and 3.1.1FIPS
DETAILS
Aruba Mobility Controllers may use external authentication methods to
authenticate users. A vulnerability in the TACACS authentication
component may allow unauthorized web UI/ssh/telnet access to the Aruba
Mobility Controller. TACACS is not the default authentication method and
must be configured as an authentication method for users before it will
be used. By default, user accounts and passwords are kept in a local
database which is not vulnerable to this issue. Other authentication
methods supported by the Aruba Mobility Controller are not vulnerable to
this issue.
IMPACT
An attacker with web UI/ssh/telnet access to the Aruba Mobility
Controller may be able to gain unauthorized access to the administration
account of an Aruba Mobility Controller.
CVSS BASE METRIC SCORE: 10
WORKAROUNDS
Aruba Networks recommends that all customers apply the appropriate
patch(es) as soon
as practical. However, in the event that a patch cannot immediately be
applied, the
following steps will help to mitigate the risk:
- - Disable TACACS authentication for all accounts until such time as the
patches can be applied.
- - Do not expose the Mobility Controller administrative interface to
untrusted networks
such as the Internet.
SOLUTION
Aruba Networks recommends that all customers apply the appropriate
patch(es) as soon as practical. However, in the event that a patch
cannot immediately be applied, the workaround steps will help to
mitigate the risk.
+----------------------------------------------------
2.)
TITLE: Mobility Controller Web UI Cross Site Scripting Vulnerabilities
SUMMARY
Cross-site scripting vulnerabilities were discovered during standard bug
reporting procedures in the Aruba Mobility Controller. Certain malformed
inputs to the web UI allow the injection of cross-site scripting (XSS)
components, leading to a potential compromise of client web session
integrity.
AFFECTED ArubaOS VERSIONS
~ 2.5.5.x, 2.5.6.x, 2.4.8.x-FIPS, 3.1.1.x, 3.1.1.x-FIPS, 3.2.0.x, 3.3.1.x
DETAILS
Aruba Mobility Controllers may present a web-based management and
captive portal interface. Providing malformed input to the web UI may
result in the presentation of that input to the user. Malicious XSS
injection via the web UI may not require action to be taken by the victim.
IMPACT
An attacker with web UI access to the Aruba Mobility Controller may be
able to compromise the integrity of a client web session or subvert the
authentication exchange content to retrieve administrator authentication
credentials to the Aruba Mobility Controller.
CVSS BASE METRIC SCORE: 10
WORKAROUNDS
Aruba Networks recommends that all customers apply the appropriate
patch(es) as soon
as practical. However, in the event that a patch cannot immediately be
applied, the
following steps will help to mitigate the risk:
- - Do not expose the Mobility Controller administrative interface to
untrusted networks
such as the Internet.
SOLUTION
Aruba Networks recommends that all customers apply the appropriate
patch(es) as soon as practical. However, in the event that a patch
cannot immediately be applied, the workaround steps will help to
mitigate the risk.
+----------------------------------------------------
OBTAINING FIXED FIRMWARES
Aruba customers can obtain the firmware on the support website:
http://www.arubanetworks.com/support.
Aruba Support contacts are as follows:
1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)
+1-408-754-1200 (toll call from anywhere in the world)
e-mail: support(at)arubanetworks.com
Please, do not contact either "wsirt(at)arubanetworks.com" or
"security(at)arubanetworks.com" for software upgrades.
EXPLOITATION AND PUBLIC ANNOUNCEMENTS
This vulnerability will be announced at
Aruba W.S.I.R.T. Advisory:
http://www.arubanetworks.com/support/alerts/aid-051408.asc
SecurityFocus Bugtraq
http://www.securityfocus.com/archive/1
STATUS OF THIS NOTICE: Final
Although Aruba Networks cannot guarantee the accuracy of all statements
in this advisory, all of the facts have been checked to the best of our
ability. Aruba Networks does not anticipate issuing updated versions of
this advisory unless there is some material change in the facts. Should
there be a significant change in the facts, Aruba Networks may update
this advisory.
A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain factual
errors.
DISTRIBUTION OF THIS ANNOUNCEMENT
This advisory will be posted on Aruba's website at:
http://www.arubanetworks.com/support/alerts/aid051408.asc
Future updates of this advisory, if any, will be placed on Aruba's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.
REVISION HISTORY
~ Revision 1.0 / 05-14-2008 / Initial release
ARUBA WSIRT SECURITY PROCEDURES
Complete information on reporting security vulnerabilities in Aruba
Wireless Networks products, obtaining assistance with security incidents
is available at
~ http://www.arubanetworks.com/support/wsirt.php
For reporting *NEW* Aruba Networks security issues, email can be sent to
wsirt(at)arubanetworks.com or security(at)arubanetworks.com. For
sensitive information we encourage the use of PGP encryption. Our public
keys can be found at
http://www.arubanetworks.com/support/wsirt.php
~ (c) Copyright 2008 by Aruba Networks, Inc.
This advisory may be redistributed freely after the release date given
at the top of the text, provided that redistributed copies are complete
and unmodified, including all date and version information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFIK37cp6KijA4qefURAjWEAKC3plExe5/hjXvUU5huEV52b1O4MQCgnx4E
XIJratDXAqBC+Wu5mV6BsLo=
=0Dse
-----END PGP SIGNATURE-----