<<< Date Index >>>     <<< Thread Index >>>

Aruba Mobility Controller SNMP Community String Disclosure



Aruba Mobility Controller SNMP Community String Disclosure


Product:

Aruba Mobility Controller
http://www.arubanetworks.com/products/mobility_controllers.php


Aruba mobility controller can be monitored via SNMP. It is possible to learn 
all configured SNMP community strings as long as at least one of them is known 
to the attacker. This can be accomplished by walking OID branch 
SNMP-COMMUNITY-MIB::snmpCommunityName (1.3.6.1.6.3.18.1.1.1.2) or 
SNMP-VIEW-BASED-ACM-MIB::vacmGroupName (1.3.6.1.6.3.16.1.2.1.3).

While the vulnerability is not in any way exposing the Aruba controller itself, 
the disclosure may lead to unauthorized access to other devices for which the 
attacker originally did not possess valid community strings.

Similarly it is possible to enumerate SNMPv3 users by inspecting 
SNMP-USER-BASED-SM-MIB or SNMP-VIEW-BASED-ACM-MIB but the passwords are not 
disclosed. This means that only noAuthNoPriv users represent an immediate 
exposure.


The vulnerability has been identified in ArubaOS version 3.3.2.6 but previous 
versions are also likely affected.


Solution:
Do not rely solely on SNMP community strings to separate access by different 
clients. Where impractical, use unique community strings for the Aruba 
infrastructure.


Found by:
nnposter