Aruba Advisory ID: AID-42309 Management User Authentication Bypass Vulnerability When Using Public Key Based SSH Authentication
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Aruba Networks Security Advisory
Title: Management User Authentication Bypass Vulnerability When Using
Public Key Based SSH Authentication.
Aruba Advisory ID: AID-42309
Revision: 1.0
For Public Release on 4/23/2009
+----------------------------------------------------
SUMMARY
A management user authentication bypass vulnerability was discovered
during standard internal bug reporting procedures in the Aruba Mobility
Controller. This vulnerability only affects customers using public key
based SSH authentication for controller management users.
AFFECTED ArubaOS VERSIONS
~ 3.3.1.x, 3.3.2.x, RN 1.0, RN 2.0
DETAILS
Aruba Mobility Controllers allow public key authentication of users
accessing the controller using SSH. A vulnerability in the key based SSH
authentication component may allow unauthorized SSH access to the Aruba
Mobility Controller. Key based SSH authentication is not the default SSH
authentication method and must be configured as an authentication method
for users before it will be used. By default SSH authentication uses
username-password scheme for authenticating management users, which is
not vulnerable to this issue. Other authentication methods supported by
the Aruba Mobility Controller are also not vulnerable to this issue.
IMPACT
An attacker with SSH access to the Aruba Mobility Controller may be able
to gain unauthorized access to the management account of an Aruba
Mobility Controller.
CVSS v2 BASE METRIC SCORE: 5.8 (AV:N/AC:M/AU:N/C:P/I:P/A:N)
WORKAROUNDS
Aruba Networks recommends that all customers apply the appropriate
patch(es) as soon as practical. However, in the event that a patch
cannot immediately be applied, the following steps will help to mitigate
the risk:
- - - Disable public key based SSH authentication for management accounts
until such time as the patches can be applied and switch to using
username-password based authentication scheme.
- - - Do not expose the Mobility Controller administrative interface to
untrusted networks such as the Internet.
SOLUTION
Aruba Networks recommends that all customers apply the appropriate
patch(es) as soon as practical. However, in the event that a patch
cannot immediately be applied, the workaround steps will help to
mitigate the risk.
The following patches have the fix (any newer patch will also have the fix):
- - - 3.3.1.24
- - - 3.3.2.11
- - - 3.3.2.8-rn-2.1_20469
Please note We highly recommend that you upgrade your Mobility
Controller to the latest available patch on the Aruba support site
corresponding to your currently installed release.
+----------------------------------------------------
OBTAINING FIXED FIRMWARE
Aruba customers can obtain the firmware on the support website:
http://www.arubanetworks.com/support.
Aruba Support contacts are as follows:
1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)
+1-408-754-1200 (toll call from anywhere in the world)
e-mail: support(at)arubanetworks.com
Please, do not contact either "wsirt(at)arubanetworks.com" or
"security(at)arubanetworks.com" for software upgrades.
EXPLOITATION AND PUBLIC ANNOUNCEMENTS
This vulnerability will be announced at
Aruba W.S.I.R.T. Advisory:
http://www.arubanetworks.com/support/alerts/aid-42309.asc
SecurityFocus Bugtraq
http://www.securityfocus.com/archive/1
STATUS OF THIS NOTICE: Final
Although Aruba Networks cannot guarantee the accuracy of all statements
in this advisory, all of the facts have been checked to the best of our
ability. Aruba Networks does not anticipate issuing updated versions of
this advisory unless there is some material change in the facts. Should
there be a significant change in the facts, Aruba Networks may update
this advisory.
A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain factual
errors.
DISTRIBUTION OF THIS ANNOUNCEMENT
This advisory will be posted on Aruba's website at:
http://www.arubanetworks.com/support/alerts/aid-42309.asc
Future updates of this advisory, if any, will be placed on Aruba's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.
REVISION HISTORY
~ Revision 1.0 / 04-23-2009 / Initial release
ARUBA WSIRT SECURITY PROCEDURES
Complete information on reporting security vulnerabilities in Aruba
Networks products, obtaining assistance with security incidents is
available at http://www.arubanetworks.com/support/wsirt.php
For reporting *NEW* Aruba Networks security issues, email can be sent to
wsirt(at)arubanetworks.com or security(at)arubanetworks.com. For
sensitive information we encourage the use of PGP encryption. Our public
keys can be found at http://www.arubanetworks.com/support/wsirt.php
~ (c) Copyright 2009 by Aruba Networks, Inc.
This advisory may be redistributed freely after the release date given
at the top of the text, provided that redistributed copies are complete
and unmodified, including all date and version information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFJ8fSbp6KijA4qefURAmGVAJ9TnXOQH5rzVJvR2kF7WiAFX7fxRgCg+VlQ
s6ynSCD4eryMuzVn2+fzEVM=
=h1bZ
-----END PGP SIGNATURE-----