Aruba Networks AOS 6.3.1.19 Improper Authentication

2016-11-07T00:00:00
ID PACKETSTORM:139595
Type packetstorm
Reporter Klaus Tichmann
Modified 2016-11-07T00:00:00

Description

                                        
                                            `Advisory ID: SYSS-2016-085  
Product: AOS  
Manufacturer: Aruba Networks  
Affected Version(s): 6.3.1.19  
Tested Version(s): 6.3.1.19 on an RAP-3 router  
Vulnerability Type: Improper Authentication  
Risk Level: High  
Solution Status: Open  
Manufacturer Notification: 2016-09-06  
Solution Date: --  
Public Disclosure: 2016-11-07  
CVE Reference: Not yet assigned  
Author of Advisory: Klaus Tichmann, SySS GmbH  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
AOS is a Linux-based Operating System designed for routers produced by  
Aruba Networks.  
  
Its shell uses a modified variant of the Busybox shell that restricts  
the capabilities of the root user until the special command enable and  
a password is used.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
The "enable" protection can be bypassed by pressing the special key  
sequence [Esc] [Ctrl]-K. As this is an undocument feature or not  
documentation for this feature could be found, the SySS regards this as  
a backdoor.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
After entering the special key sequence, the shell emits the message  
  
Switching to Full Access  
  
and grants all permissions in the current shell session.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
According to the vendor, the "enable"-functionality is not a security  
feature. Therefore, no direct fix will be provided. The vendor  
recommends to upgrade to the newest version of the operating system  
which allows for disabling of the hardware console.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2016-09-01: Vulnerability discovered  
2016-09-06: Vulnerability reported to manufacturer  
2016-11-07: Public disclusure  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Product information for AOS  
http://www.arubanetworks.com/assets/ds/DS_AOS.pdf  
[2] Product website for RAP-3WNP  
http://www.arubanetworks.com/products/networking/access-points/rap-3/  
[3] SySS Responsible Disclosure Policy  
https://www.syss.de/en/news/responsible-disclosure-policy/  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Klaus Tichmann of the SySS  
GmbH.  
  
E-Mail: klaus.tichmann@syss.de  
Public Key:  
https://www.syss.de/fileadmin/dokumente/PGPKeys/Klaus_Tichmann.asc  
Key ID: 0x99042A60  
Key Fingerprint: B51E A884 B3F8 4D72 B705 4B91 4EBD A263 9904 2A60  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
  
`