-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ADVISORY NUMBER 013111
Advisory # 1:
TITLE
Malformed 802.11 Probe Request frame causes Denial of Service condition
on an Access Point.
SUMMARY
A Denial of Service (DoS) vulnerability was discovered during standard
bug reporting procedures. A malformed 802.11 probe request frame causes
a crash on the Access Point (AP) causing a temporary DoS condition for
wireless clients. Prior successful security association with the
wireless network is not required to cause this condition. The AP
recovers automatically by restarting itself.
AFFECTED ArubaOS VERSIONS
3.3.1.x, 3.3.2.x, 3.3.3.X, 3.4.2.X, 5.0.X, RN-3.1.X, 3.3.2.x-FIPS and
3.4.2.x-FIPS
DETAILS
An 802.11 probe request frame is used by wireless clients to discover
wireless networks. A malformed probe request frame may cause a crash on
the Aruba APs. An attacking station does not need to have completed a
successful security association prior to launching this attack since a
probe request frame is an unprotected frame. This vulnerability affects
all Aruba APs.
IMPACT
An attacker can inject a malformed probe request frame and cause an AP
to crash. This causes a service outage for all clients connected to that
AP. The AP recovers automatically by restarting. An attacker could
however cause a prolonged DoS condition by flooding the WLAN with
malicious probe request frames.
This vulnerability applies equally to both encrypted and unencrypted
WLANs. This vulnerability does not affect wired devices connected the
Aruba Mobility Controller.
CVSS v2 BASE METRIC SCORE: 6.1 (AV:A/AC:L/Au:N/C:N/I:N/A:C)
WORKAROUNDS
Aruba Networks recommends that all customers apply the appropriate
patch(es) as soon as practical. However, in the event that a patch
cannot immediately be applied, the following steps will help to mitigate
the risk:
- - - - Disable WIDS functionality in the radio profile for all bands
rf dot11a-radio-profile <profile>
disable-arm-wids-functions
!
rf dot11g-radio-profile <profile>
disable-arm-wids-functions
!
SOLUTION
Aruba Networks recommends that all customers apply the appropriate
patch(es) as soon as practical.
The following patches have the fix (any newer patch will also have the fix):
- - - - 3.3.3.8
- - - - 3.4.2.6
- - - - 5.0.2.0
- - - - RN3.1.12
- - - - 3.3.2.20-FIPS
- - - - 3.4.2.3-FIPS
The FIPS releases noted above are currently undergoing FIPS
certification and are available from Aruba on request. Patches for
3.3.1.X and 3.3.2.X releases would be made available on request as well.
Please note: We highly recommend that you upgrade your Mobility
Controller to the latest available patch on the Aruba support site
corresponding to your currently installed release.
+----------------------------------------------------
Advisory # 2:
TITLE
Dot1X Wireless User Authentication Bypass Vulnerability when EAP-TLS
Dot1X local termination is enabled on WLAN.
SUMMARY
An EAP-TLS Dot1X wireless user authentication bypass vulnerability was
discovered during standard internal bug reporting procedures in the
Aruba Mobility Controller. This vulnerability only affects customers
with EAP-TLS Dot1X local termination enabled on a WLAN.
AFFECTED ArubaOS VERSIONS
3.3.1.x, 3.3.2.x, 3.3.3.X, 3.4.X, 5.0.X, RN-3.1.X, 3.3.2.x-FIPS and
3.4.2.x-FIPS
DETAILS
Aruba Mobility Controllers allow for local termination of EAP-TLS Dot1X
authentication of wireless users accessing the network and
authenticating via EAP-TLS. Local Dot1X termination allows rapid
deployment of WLAN without requiring an external authentication server
capable of EAP-TLS authentication. A vulnerability in the EAP-TLS Dot1X
termination component in the Mobility Controller may allow unauthorized
network access to some wireless users.
EAP-TLS Dot1X termination is not the default setup and must be
configured manually for a WLAN before it will be used. Wireless users
authenticating to an external authentication server are NOT vulnerable
and neither are wired users. Other WLANs on the same Mobility Controller
that do not use local termination of Dot1X EAP-TLS are NOT affected by
this vulnerability.
IMPACT
An EAP-TLS wireless user may be able to gain unauthorized access to a
WLAN configured with local Dot1X termination of EAP-TLS authentications
on the Aruba Mobility Controller.
CVSS v2 BASE METRIC SCORE: 4.3 (AV:A/AC:M/AU:N/C:P/I:P/A:N)
HOW TO IDENTIFY IF YOU ARE VULNERABLE
If the following lines exist in your configuration for a particular aaa
profile and that profile is assigned to an active virtual ap, then you
are vulnerable.
aaa authentication dot1x <profile>
termination enable
termination eap-type eap-tls
...
...
!
WORKAROUNDS
Aruba Networks recommends that all customers apply the appropriate
patch(es) as soon as practical. However, in the event that a patch
cannot immediately be applied, the following steps will help to mitigate
the risk:
- - - - Disable EAP-TLS Dot1X local termination for wireless users until
such time as the patches can be applied and switch to using an external
EAP-TLS server for authenticating wireless users. If local Dot1X
termination can not be disabled, switch to using another EAP method to
authenticate wireless users.
SOLUTION
Aruba Networks recommends that all customers apply the appropriate
patch(es) as soon as practical.
The following patches have the fix (any newer patch will also have the fix):
- - - - 3.3.3.9
- - - - 3.4.3.1
- - - - 5.0.2.1
- - - - RN3.1.13
- - - - 3.3.2.20-FIPS
- - - - 3.4.2.3-FIPS
The FIPS releases noted above are currently undergoing FIPS
certification and are available from Aruba on request. Patches for
3.3.1.X and 3.3.2.X releases would be made available on request as well.
Please note: We highly recommend that you upgrade your Mobility
Controller to the latest available patch on the Aruba support site
corresponding to your currently installed release.
+----------------------------------------------------
OBTAINING FIXED FIRMWARE
Aruba customers can obtain the firmware on the support website:
http://www.arubanetworks.com/support.
Aruba Support contacts are as follows:
1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)
+1-408-754-1200 (toll call from anywhere in the world)
e-mail: support(at)arubanetworks.com
Please, do not contact either "wsirt(at)arubanetworks.com" or
"security(at)arubanetworks.com" for software upgrades.
EXPLOITATION AND PUBLIC ANNOUNCEMENTS
This vulnerability will be announced at
Aruba W.S.I.R.T. Advisory:
http://www.arubanetworks.com/support/alerts/aid-011511.asc
SecurityFocus Bugtraq
http://www.securityfocus.com/archive/1
STATUS OF THIS NOTICE: Final
Although Aruba Networks cannot guarantee the accuracy of all statements
in this advisory, all of the facts have been checked to the best of our
ability. Aruba Networks does not anticipate issuing updated versions of
this advisory unless there is some material change in the facts. Should
there be a significant change in the facts, Aruba Networks may update
this advisory.
A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain factual
errors.
DISTRIBUTION OF THIS ANNOUNCEMENT
This advisory will be posted on Aruba's website at:
http://www.arubanetworks.com/support/alerts/aid-013111.asc
Future updates of this advisory, if any, will be placed on Aruba's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.
REVISION HISTORY
Revision 1.0 / 01-31-2011 / Initial release
ARUBA WSIRT SECURITY PROCEDURES
Complete information on reporting security vulnerabilities in Aruba
Networks products, obtaining assistance with security incidents is
available at
http://www.arubanetworks.com/support/wsirt.php
For reporting *NEW* Aruba Networks security issues, email can be sent to
wsirt(at)arubanetworks.com or security(at)arubanetworks.com. For
sensitive information we encourage the use of PGP encryption. Our public
keys can be found at
http://www.arubanetworks.com/support/wsirt.php
(c) Copyright 2010 by Aruba Networks, Inc.
This advisory may be redistributed freely after the release date given
at the top of the text, provided that redistributed copies are complete
and unmodified, including all date and version information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk1HWsgACgkQp6KijA4qefWrngCeI3lu7Ruj6yD/m+k1L/hzHBNe
z88AoIumgoaPBrC+Y+ZMCizJ4SWVymhr
=mfyN
-----END PGP SIGNATURE-----
{"id": "SECURITYVULNS:DOC:25609", "bulletinFamily": "software", "title": "Aruba Mobility Controller - multiple advisories: DoS and authentication bypass", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n\r\nADVISORY NUMBER 013111\r\n\r\n\r\nAdvisory # 1:\r\n\r\nTITLE\r\n\r\nMalformed 802.11 Probe Request frame causes Denial of Service condition\r\non an Access Point.\r\n\r\nSUMMARY\r\n\r\nA Denial of Service (DoS) vulnerability was discovered during standard\r\nbug reporting procedures. A malformed 802.11 probe request frame causes\r\na crash on the Access Point (AP) causing a temporary DoS condition for\r\nwireless clients. Prior successful security association with the\r\nwireless network is not required to cause this condition. The AP\r\nrecovers automatically by restarting itself.\r\n\r\n\r\nAFFECTED ArubaOS VERSIONS\r\n\r\n3.3.1.x, 3.3.2.x, 3.3.3.X, 3.4.2.X, 5.0.X, RN-3.1.X, 3.3.2.x-FIPS and\r\n3.4.2.x-FIPS\r\n\r\n\r\nDETAILS\r\n\r\nAn 802.11 probe request frame is used by wireless clients to discover\r\nwireless networks. A malformed probe request frame may cause a crash on\r\nthe Aruba APs. An attacking station does not need to have completed a\r\nsuccessful security association prior to launching this attack since a\r\nprobe request frame is an unprotected frame. This vulnerability affects\r\nall Aruba APs.\r\n\r\n\r\nIMPACT\r\n\r\nAn attacker can inject a malformed probe request frame and cause an AP\r\nto crash. This causes a service outage for all clients connected to that\r\nAP. The AP recovers automatically by restarting. An attacker could\r\nhowever cause a prolonged DoS condition by flooding the WLAN with\r\nmalicious probe request frames.\r\n\r\nThis vulnerability applies equally to both encrypted and unencrypted\r\nWLANs. This vulnerability does not affect wired devices connected the\r\nAruba Mobility Controller.\r\n\r\nCVSS v2 BASE METRIC SCORE: 6.1 (AV:A/AC:L/Au:N/C:N/I:N/A:C)\r\n\r\n\r\nWORKAROUNDS\r\n\r\nAruba Networks recommends that all customers apply the appropriate\r\npatch(es) as soon as practical. However, in the event that a patch\r\ncannot immediately be applied, the following steps will help to mitigate\r\nthe risk:\r\n\r\n- - - - Disable WIDS functionality in the radio profile for all bands\r\n\r\n rf dot11a-radio-profile <profile>\r\n disable-arm-wids-functions\r\n !\r\n rf dot11g-radio-profile <profile>\r\n disable-arm-wids-functions\r\n !\r\n\r\nSOLUTION\r\n\r\nAruba Networks recommends that all customers apply the appropriate\r\npatch(es) as soon as practical.\r\n\r\nThe following patches have the fix (any newer patch will also have the fix):\r\n\r\n- - - - 3.3.3.8\r\n- - - - 3.4.2.6\r\n- - - - 5.0.2.0\r\n- - - - RN3.1.12\r\n- - - - 3.3.2.20-FIPS\r\n- - - - 3.4.2.3-FIPS\r\n\r\nThe FIPS releases noted above are currently undergoing FIPS\r\ncertification and are available from Aruba on request. Patches for\r\n3.3.1.X and 3.3.2.X releases would be made available on request as well.\r\n\r\nPlease note: We highly recommend that you upgrade your Mobility\r\nController to the latest available patch on the Aruba support site\r\ncorresponding to your currently installed release.\r\n\r\n+----------------------------------------------------\r\n\r\n\r\nAdvisory # 2:\r\n\r\nTITLE\r\n\r\nDot1X Wireless User Authentication Bypass Vulnerability when EAP-TLS\r\nDot1X local termination is enabled on WLAN.\r\n\r\n\r\nSUMMARY\r\n\r\nAn EAP-TLS Dot1X wireless user authentication bypass vulnerability was\r\ndiscovered during standard internal bug reporting procedures in the\r\nAruba Mobility Controller. This vulnerability only affects customers\r\nwith EAP-TLS Dot1X local termination enabled on a WLAN.\r\n\r\n\r\nAFFECTED ArubaOS VERSIONS\r\n\r\n3.3.1.x, 3.3.2.x, 3.3.3.X, 3.4.X, 5.0.X, RN-3.1.X, 3.3.2.x-FIPS and\r\n3.4.2.x-FIPS\r\n\r\n\r\nDETAILS\r\n\r\nAruba Mobility Controllers allow for local termination of EAP-TLS Dot1X\r\nauthentication of wireless users accessing the network and\r\nauthenticating via EAP-TLS. Local Dot1X termination allows rapid\r\ndeployment of WLAN without requiring an external authentication server\r\ncapable of EAP-TLS authentication. A vulnerability in the EAP-TLS Dot1X\r\ntermination component in the Mobility Controller may allow unauthorized\r\nnetwork access to some wireless users.\r\n\r\nEAP-TLS Dot1X termination is not the default setup and must be\r\nconfigured manually for a WLAN before it will be used. Wireless users\r\nauthenticating to an external authentication server are NOT vulnerable\r\nand neither are wired users. Other WLANs on the same Mobility Controller\r\nthat do not use local termination of Dot1X EAP-TLS are NOT affected by\r\nthis vulnerability.\r\n\r\n\r\nIMPACT\r\n\r\nAn EAP-TLS wireless user may be able to gain unauthorized access to a\r\nWLAN configured with local Dot1X termination of EAP-TLS authentications\r\non the Aruba Mobility Controller.\r\n\r\n\r\nCVSS v2 BASE METRIC SCORE: 4.3 (AV:A/AC:M/AU:N/C:P/I:P/A:N)\r\n\r\n\r\nHOW TO IDENTIFY IF YOU ARE VULNERABLE\r\n\r\nIf the following lines exist in your configuration for a particular aaa\r\nprofile and that profile is assigned to an active virtual ap, then you\r\nare vulnerable.\r\n\r\n aaa authentication dot1x <profile>\r\n termination enable\r\n termination eap-type eap-tls\r\n ...\r\n ...\r\n !\r\n\r\n \r\nWORKAROUNDS\r\n\r\nAruba Networks recommends that all customers apply the appropriate\r\npatch(es) as soon as practical. However, in the event that a patch\r\ncannot immediately be applied, the following steps will help to mitigate\r\nthe risk:\r\n\r\n- - - - Disable EAP-TLS Dot1X local termination for wireless users until\r\nsuch time as the patches can be applied and switch to using an external\r\nEAP-TLS server for authenticating wireless users. If local Dot1X\r\ntermination can not be disabled, switch to using another EAP method to\r\nauthenticate wireless users.\r\n\r\n\r\nSOLUTION\r\n\r\nAruba Networks recommends that all customers apply the appropriate\r\npatch(es) as soon as practical.\r\n\r\nThe following patches have the fix (any newer patch will also have the fix):\r\n\r\n- - - - 3.3.3.9\r\n- - - - 3.4.3.1\r\n- - - - 5.0.2.1\r\n- - - - RN3.1.13\r\n- - - - 3.3.2.20-FIPS\r\n- - - - 3.4.2.3-FIPS\r\n\r\nThe FIPS releases noted above are currently undergoing FIPS\r\ncertification and are available from Aruba on request. Patches for\r\n3.3.1.X and 3.3.2.X releases would be made available on request as well.\r\n\r\nPlease note: We highly recommend that you upgrade your Mobility\r\nController to the latest available patch on the Aruba support site\r\ncorresponding to your currently installed release.\r\n\r\n\r\n\r\n+----------------------------------------------------\r\n\r\nOBTAINING FIXED FIRMWARE\r\n\r\nAruba customers can obtain the firmware on the support website:\r\n http://www.arubanetworks.com/support.\r\n\r\nAruba Support contacts are as follows:\r\n\r\n 1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)\r\n\r\n +1-408-754-1200 (toll call from anywhere in the world)\r\n\r\n e-mail: support(at)arubanetworks.com\r\n\r\nPlease, do not contact either "wsirt(at)arubanetworks.com" or\r\n"security(at)arubanetworks.com" for software upgrades.\r\n\r\n\r\nEXPLOITATION AND PUBLIC ANNOUNCEMENTS\r\n\r\nThis vulnerability will be announced at\r\n\r\nAruba W.S.I.R.T. Advisory:\r\nhttp://www.arubanetworks.com/support/alerts/aid-011511.asc\r\n\r\nSecurityFocus Bugtraq\r\nhttp://www.securityfocus.com/archive/1\r\n\r\n\r\nSTATUS OF THIS NOTICE: Final\r\n\r\nAlthough Aruba Networks cannot guarantee the accuracy of all statements\r\nin this advisory, all of the facts have been checked to the best of our\r\nability. Aruba Networks does not anticipate issuing updated versions of\r\nthis advisory unless there is some material change in the facts. Should\r\nthere be a significant change in the facts, Aruba Networks may update\r\nthis advisory.\r\n\r\nA stand-alone copy or paraphrase of the text of this security advisory\r\nthat omits the distribution URL in the following section is an\r\nuncontrolled copy, and may lack important information or contain factual\r\nerrors.\r\n\r\n\r\nDISTRIBUTION OF THIS ANNOUNCEMENT\r\n\r\nThis advisory will be posted on Aruba's website at:\r\nhttp://www.arubanetworks.com/support/alerts/aid-013111.asc\r\n\r\n\r\nFuture updates of this advisory, if any, will be placed on Aruba's\r\nworldwide website, but may or may not be actively announced on mailing\r\nlists or newsgroups. Users concerned about this problem are encouraged\r\nto check the above URL for any updates.\r\n\r\n\r\nREVISION HISTORY\r\n\r\n Revision 1.0 / 01-31-2011 / Initial release\r\n\r\n\r\nARUBA WSIRT SECURITY PROCEDURES\r\n\r\nComplete information on reporting security vulnerabilities in Aruba\r\nNetworks products, obtaining assistance with security incidents is\r\navailable at\r\n http://www.arubanetworks.com/support/wsirt.php\r\n\r\n\r\nFor reporting *NEW* Aruba Networks security issues, email can be sent to\r\nwsirt(at)arubanetworks.com or security(at)arubanetworks.com. For\r\nsensitive information we encourage the use of PGP encryption. Our public\r\nkeys can be found at\r\n http://www.arubanetworks.com/support/wsirt.php\r\n\r\n\r\n (c) Copyright 2010 by Aruba Networks, Inc.\r\nThis advisory may be redistributed freely after the release date given\r\nat the top of the text, provided that redistributed copies are complete\r\nand unmodified, including all date and version information.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2.0.14 (MingW32)\r\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/\r\n\r\niEYEARECAAYFAk1HWsgACgkQp6KijA4qefWrngCeI3lu7Ruj6yD/m+k1L/hzHBNe\r\nz88AoIumgoaPBrC+Y+ZMCizJ4SWVymhr\r\n=mfyN\r\n-----END PGP SIGNATURE-----", "published": "2011-02-03T00:00:00", "modified": "2011-02-03T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25609", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:38", "edition": 1, "viewCount": 128, "enchantments": {"score": {"value": -0.2, "vector": "NONE"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:11399"]}], "rev": 4}, "backreferences": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:11399"]}]}, "exploitation": null, "vulnersScore": -0.2}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645322138, "score": 1659803227}, "_internal": {"score_hash": "b518fd04205b203d90e8c67cca1d3b20"}}