Aruba Mobility Controller SNMP Community String Disclosure
Aruba Mobility Controller SNMP Community String Disclosure
Product:
Aruba Mobility Controller
http://www.arubanetworks.com/products/mobility_controllers.php
Aruba mobility controller can be monitored via SNMP. It is possible to learn
all configured SNMP community strings as long as at least one of them is known
to the attacker. This can be accomplished by walking OID branch
SNMP-COMMUNITY-MIB::snmpCommunityName (1.3.6.1.6.3.18.1.1.1.2) or
SNMP-VIEW-BASED-ACM-MIB::vacmGroupName (1.3.6.1.6.3.16.1.2.1.3).
While the vulnerability is not in any way exposing the Aruba controller itself,
the disclosure may lead to unauthorized access to other devices for which the
attacker originally did not possess valid community strings.
Similarly it is possible to enumerate SNMPv3 users by inspecting
SNMP-USER-BASED-SM-MIB or SNMP-VIEW-BASED-ACM-MIB but the passwords are not
disclosed. This means that only noAuthNoPriv users represent an immediate
exposure.
The vulnerability has been identified in ArubaOS version 3.3.2.6 but previous
versions are also likely affected.
Solution:
Do not rely solely on SNMP community strings to separate access by different
clients. Where impractical, use unique community strings for the Aruba
infrastructure.
Found by:
nnposter