Aruba Mobility Controller SNMP Community String Disclosure

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Aruba Mobility Controller SNMP Community String Disclosure
From: nnposter@xxxxxxxxxxxxx
Date: 4 Nov 2008 15:10:58 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Aruba Mobility Controller SNMP Community String Disclosure


Product:

Aruba Mobility Controller
http://www.arubanetworks.com/products/mobility_controllers.php


Aruba mobility controller can be monitored via SNMP. It is possible to learn 
all configured SNMP community strings as long as at least one of them is known 
to the attacker. This can be accomplished by walking OID branch 
SNMP-COMMUNITY-MIB::snmpCommunityName (1.3.6.1.6.3.18.1.1.1.2) or 
SNMP-VIEW-BASED-ACM-MIB::vacmGroupName (1.3.6.1.6.3.16.1.2.1.3).

While the vulnerability is not in any way exposing the Aruba controller itself, 
the disclosure may lead to unauthorized access to other devices for which the 
attacker originally did not possess valid community strings.

Similarly it is possible to enumerate SNMPv3 users by inspecting 
SNMP-USER-BASED-SM-MIB or SNMP-VIEW-BASED-ACM-MIB but the passwords are not 
disclosed. This means that only noAuthNoPriv users represent an immediate 
exposure.


The vulnerability has been identified in ArubaOS version 3.3.2.6 but previous 
versions are also likely affected.


Solution:
Do not rely solely on SNMP community strings to separate access by different 
clients. Where impractical, use unique community strings for the Aruba 
infrastructure.


Found by:
nnposter

Prev by Date: [USN-660-1] enscript vulnerability
Next by Date: rPSA-2008-0311-1 postfix
Previous by thread: [USN-660-1] enscript vulnerability
Next by thread: rPSA-2008-0311-1 postfix
Index(es):
- Date
- Thread