DoS Vulnerability in Aruba Mobility Controller Caused by Malformed EAP Frame (Aruba Advisory ID: AID-12808)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Aruba Networks Security Advisory
Title: DoS Vulnerability in Aruba Mobility Controller Caused by
Malformed EAP Frame.
Aruba Advisory ID: AID-12808
Revision: 1.0
For Public Release on 12/8/2008
+----------------------------------------------------
SUMMARY
A Denial of Service (DoS) vulnerability was discovered during standard
bug reporting procedures
in the Aruba Mobility Controller. A malformed EAP frame causes a process
crash on the Aruba
Mobility Controller causing a temporary DoS condition for new clients
configured to use EAP
authentication. Prior successful security association is not required to
cause this condition.
The Mobility Controller recovers automatically by restarting the
affected process.
AFFECTED ArubaOS VERSIONS
2.4.8.x-FIPS, 2.5.x, 3.1.x, 3.2.x, 3.3.1.x, and 3.3.2.x versions
DETAILS
Extensible Authentication Protocol (EAP) is a framework used for
authentication in wireless and
point-point connections (RFC 3748). Aruba Mobility Controller accepts
EAP frames on both wireless
interfaces (via its thin APs) and wired interfaces (via devices
connected to untrusted physical
ports on the controller). In 802.11 networks, EAP frames are only used
when WPA/WPA2 Enterprise
modes are being used.
A malformed EAP frame causes a process crash on the Aruba Mobility
Controller. An attacking station
does not need to have completed a successful security association prior
to launching this attack
against the controller.
IMPACT
An attacker can inject a malformed EAP frame and cause a process crash
on the Aruba Mobility
Controller. This causes a service outage for new clients configured to
use EAP authentication.
The Mobility Controller recovers automatically by restarting the
affected process. An attacker
could however cause a prolonged DoS condition by flooding the Aruba
Mobility Controller with
malicious EAP frames.
For wireless, this vulnerability only applies when operating in WPA/WPA2
Enterprise modes.
WPA/WPA2-PSK modes are unaffected by this vulnerability and so are
open/WEP based wireless networks.
This vulnerability does affect wired devices connected to untrusted
physical ports of the Mobility
Controller.
CVSS v2 BASE METRIC SCORE: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
WORKAROUNDS
Aruba Networks recommends that all customers that are using EAP
authentication apply the
appropriate patch(es) as soon as practical. However, in the event that
a patch cannot
immediately be applied, the following steps might help in mitigating the
risk:
- - - Aruba Mobility Controllers allows for a mode of operation where a
wireless client's
EAP communication terminates on the controller, rather than on an
authentication server (RADIUS
server, LDAP server etc.). The Mobility Controller in turn queries the
authentication server on
behalf of the client using non EAP messages. This mode is referred to as
"EAP-Offload" and is
immune to this vulnerability. Enabling this mode on the Mobility
Controller can be used as a
workaround until the patch(es) can be applied. EAP-Offload is not
supported for wired client
devices.
SOLUTION
Aruba Networks recommends that all customers apply the appropriate
patch(es) as soon as practical. However, in the event that a patch
can not immediately be applied, the workaround steps will help to mitigate
the risk.
+----------------------------------------------------
OBTAINING FIXED FIRMWARE
Aruba customers can obtain the firmware on the support website:
http://www.arubanetworks.com/support.
Aruba Support contacts are as follows:
1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)
+1-408-754-1200 (toll call from anywhere in the world)
e-mail: support(at)arubanetworks.com
Please, do not contact either "wsirt(at)arubanetworks.com" or
"security(at)arubanetworks.com" for software upgrades.
EXPLOITATION AND PUBLIC ANNOUNCEMENTS
This vulnerability will be announced at
Aruba W.S.I.R.T. Advisory:
http://www.arubanetworks.com/support/alerts/aid-12808.asc
SecurityFocus Bugtraq
http://www.securityfocus.com/archive/1
STATUS OF THIS NOTICE: Final
Although Aruba Networks cannot guarantee the accuracy of all statements
in this advisory, all of the facts have been checked to the best of our
ability. Aruba Networks does not anticipate issuing updated versions of
this advisory unless there is some material change in the facts. Should
there be a significant change in the facts, Aruba Networks may update
this advisory.
A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an uncontrolled
copy, and may lack important information or contain factual errors.
DISTRIBUTION OF THIS ANNOUNCEMENT
This advisory will be posted on Aruba's website at:
http://www.arubanetworks.com/support/alerts/aid-12808.asc
Future updates of this advisory, if any, will be placed on Aruba's worldwide
website, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
above URL for any updates.
REVISION HISTORY
~ Revision 1.0 / 12-8-2008 / Initial release
ARUBA WSIRT SECURITY PROCEDURES
Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at
~ http://www.arubanetworks.com/support/wsirt.php
For reporting *NEW* Aruba Networks security issues, email can be sent to
wsirt(at)arubanetworks.com or security(at)arubanetworks.com. For sensitive
information we encourage the use of PGP encryption. Our public keys can be
found at
http://www.arubanetworks.com/support/wsirt.php
~ (c) Copyright 2008 by Aruba Networks, Inc.
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkk9c5kACgkQp6KijA4qefU7vACg4RsVQOwBPeGRdcf7/iOmXQTE
RNcAnRvRz7XFOHeOyRCcMFI5FF1synMd
=e8RT
-----END PGP SIGNATURE-----