=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2008/VULN567
_____________________________________________________________________

DATE                      : 09/12/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : ArubaOS running Aruba Mobility Controller.

======================================================================
http://www.arubanetworks.com/support/alerts/aid-12808.asc
______________________________________________________________________
Aruba Networks Security Advisory

Title: DoS Vulnerability in Aruba Mobility Controller Caused by Malformed
EAP Frame.

Aruba Advisory ID: AID-12808
Revision: 1.0

For Public Release on 12/8/2008

+----------------------------------------------------

SUMMARY

A Denial of Service (DoS) vulnerability was discovered during standard
bug reporting procedures in the Aruba Mobility Controller. A malformed
EAP frame causes a process crash on the Aruba Mobility Controller causing
a temporary DoS condition for new clients configured to use EAP authentication.
Prior successful security association is not required to cause this condition.
The Mobility Controller recovers automatically by restarting the affected process.


AFFECTED ArubaOS VERSIONS

2.4.8.x-FIPS, 2.5.x, 3.1.x, 3.2.x, 3.3.1.x, and 3.3.2.x versions


DETAILS

Extensible Authentication Protocol (EAP) is a framework used for authentication
in wireless and point-point connections (RFC 3748). Aruba Mobility Controller
accepts EAP frames on both wireless interfaces (via its thin APs) and wired
interfaces (via devices connected to untrusted physical ports on the controller).
In 802.11 networks, EAP frames are only used when WPA/WPA2 Enterprise modes are
being used.

A malformed EAP frame causes a process crash on the Aruba Mobility Controller.
An attacking station does not need to have completed a successful security
association prior to launching this attack against the controller.


IMPACT

An attacker can inject a malformed EAP frame and cause a process crash on the
Aruba Mobility Controller. This causes a service outage for new clients configured
to use EAP authentication. The Mobility Controller recovers automatically by restarting
the affected process.  An attacker could however cause a prolonged DoS condition
by flooding the Aruba Mobility Controller with malicious EAP frames.

For wireless, this vulnerability only applies when operating in WPA/WPA2 Enterprise
modes. WPA/WPA2-PSK modes are unaffected by this vulnerability and so are open/WEP
based wireless networks. This vulnerability does affect wired devices connected to
untrusted physical ports of the Mobility Controller.


CVSS v2 BASE METRIC SCORE: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)


WORKAROUNDS

Aruba Networks recommends that all customers that are using EAP authentication
apply the appropriate patch(es) as soon as practical.  However, in the event
that a patch cannot immediately be applied, the following steps might help in
mitigating the risk:

- - Aruba Mobility Controllers allows for a mode of operation where a wireless
client's EAP communication terminates on the controller, rather than on an
authentication server (RADIUS server, LDAP server etc.). The Mobility Controller
in turn queries the authentication server on behalf of the client using non EAP
messages. This mode is referred to as "EAP-Offload" and is immune to this
vulnerability. Enabling this mode on the Mobility Controller can be used as a
workaround until the patch(es) can be applied. EAP-Offload is not supported for
wired client devices.


SOLUTION

Aruba Networks recommends that all customers apply the appropriate
patch(es) as soon as practical.  However, in the event that a patch
can not immediately be applied, the workaround steps will help to mitigate
the risk.

+----------------------------------------------------

OBTAINING FIXED FIRMWARE

Aruba customers can obtain the firmware on the support website:
	http://www.arubanetworks.com/support.

Aruba Support contacts are as follows:

	1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)

	+1-408-754-1200 (toll call from anywhere in the world)

	e-mail: support(at)arubanetworks.com

Please, do not contact either "wsirt(at)arubanetworks.com" or
"security(at)arubanetworks.com" for software upgrades.


EXPLOITATION AND PUBLIC ANNOUNCEMENTS

This vulnerability will be announced at

Aruba W.S.I.R.T. Advisory:
http://www.arubanetworks.com/support/alerts/aid-12808.asc

SecurityFocus Bugtraq
http://www.securityfocus.com/archive/1


STATUS OF THIS NOTICE: Final

Although Aruba Networks cannot guarantee the accuracy of all statements
in this advisory, all of the facts have been checked to the best of our
ability. Aruba Networks does not anticipate issuing updated versions of
this advisory unless there is some material change in the facts. Should
there be a significant change in the facts, Aruba Networks may update
this advisory.

A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an uncontrolled
copy, and may lack important information or contain factual errors.


DISTRIBUTION OF THIS ANNOUNCEMENT

This advisory will be posted on Aruba's website at:
http://www.arubanetworks.com/support/alerts/aid-12808.asc


Future updates of this advisory, if any, will be placed on Aruba's worldwide
website, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
above URL for any updates.


REVISION HISTORY

      Revision 1.0 / 12-8-2008 / Initial release


ARUBA WSIRT SECURITY PROCEDURES

Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at
      http://www.arubanetworks.com/support/wsirt.php


For reporting *NEW* Aruba Networks security issues, email can be sent to
wsirt(at)arubanetworks.com or security(at)arubanetworks.com. For sensitive
information we encourage the use of PGP encryption. Our public keys can be
found at
	http://www.arubanetworks.com/support/wsirt.php


      (c) Copyright 2008 by Aruba Networks, Inc.
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================