===================================================================== CERT-Renater Note d'Information No. 2011/VULN076 _____________________________________________________________________ DATE : 03/02/2011 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : ArubaOS version 3.3.1.x, 3.3.2.x, 3.3.3.X, 3.4.2.X, 5.0.X, RN-3.1.X, 3.3.2.x-FIPS, 3.4.2.x-FIPS. ====================================================================== http://www.arubanetworks.com/support/alerts/aid-013111.asc ______________________________________________________________________ ADVISORY NUMBER 013111 Advisory # 1: TITLE Malformed 802.11 Probe Request frame causes Denial of Service condition on an Access Point. SUMMARY A Denial of Service (DoS) vulnerability was discovered during standard bug reporting procedures. A malformed 802.11 probe request frame causes a crash on the Access Point (AP) causing a temporary DoS condition for wireless clients. Prior successful security association with the wireless network is not required to cause this condition. The AP recovers automatically by restarting itself. AFFECTED ArubaOS VERSIONS 3.3.1.x, 3.3.2.x, 3.3.3.X, 3.4.2.X, 5.0.X, RN-3.1.X, 3.3.2.x-FIPS and 3.4.2.x-FIPS DETAILS An 802.11 probe request frame is used by wireless clients to discover wireless networks. A malformed probe request frame may cause a crash on the Aruba APs. An attacking station does not need to have completed a successful security association prior to launching this attack since a probe request frame is an unprotected frame. This vulnerability affects all Aruba APs. IMPACT An attacker can inject a malformed probe request frame and cause an AP to crash. This causes a service outage for all clients connected to that AP. The AP recovers automatically by restarting. An attacker could however cause a prolonged DoS condition by flooding the WLAN with malicious probe request frames. This vulnerability applies equally to both encrypted and unencrypted WLANs. This vulnerability does not affect wired devices connected the Aruba Mobility Controller. CVSS v2 BASE METRIC SCORE: 6.1 (AV:A/AC:L/Au:N/C:N/I:N/A:C) WORKAROUNDS Aruba Networks recommends that all customers apply the appropriate patch(es) as soon as practical. However, in the event that a patch cannot immediately be applied, the following steps will help to mitigate the risk: - - - - Disable WIDS functionality in the radio profile for all bands rf dot11a-radio-profile disable-arm-wids-functions ! rf dot11g-radio-profile disable-arm-wids-functions ! SOLUTION Aruba Networks recommends that all customers apply the appropriate patch(es) as soon as practical. The following patches have the fix (any newer patch will also have the fix): - - - - 3.3.3.8 - - - - 3.4.2.6 - - - - 5.0.2.0 - - - - RN3.1.12 - - - - 3.3.2.20-FIPS - - - - 3.4.2.3-FIPS The FIPS releases noted above are currently undergoing FIPS certification and are available from Aruba on request. Patches for 3.3.1.X and 3.3.2.X releases would be made available on request as well. Please note: We highly recommend that you upgrade your Mobility Controller to the latest available patch on the Aruba support site corresponding to your currently installed release. +---------------------------------------------------- Advisory # 2: TITLE Dot1X Wireless User Authentication Bypass Vulnerability when EAP-TLS Dot1X local termination is enabled on WLAN. SUMMARY An EAP-TLS Dot1X wireless user authentication bypass vulnerability was discovered during standard internal bug reporting procedures in the Aruba Mobility Controller. This vulnerability only affects customers with EAP-TLS Dot1X local termination enabled on a WLAN. AFFECTED ArubaOS VERSIONS 3.3.1.x, 3.3.2.x, 3.3.3.X, 3.4.X, 5.0.X, RN-3.1.X, 3.3.2.x-FIPS and 3.4.2.x-FIPS DETAILS Aruba Mobility Controllers allow for local termination of EAP-TLS Dot1X authentication of wireless users accessing the network and authenticating via EAP-TLS. Local Dot1X termination allows rapid deployment of WLAN without requiring an external authentication server capable of EAP-TLS authentication. A vulnerability in the EAP-TLS Dot1X termination component in the Mobility Controller may allow unauthorized network access to some wireless users. EAP-TLS Dot1X termination is not the default setup and must be configured manually for a WLAN before it will be used. Wireless users authenticating to an external authentication server are NOT vulnerable and neither are wired users. Other WLANs on the same Mobility Controller that do not use local termination of Dot1X EAP-TLS are NOT affected by this vulnerability. IMPACT An EAP-TLS wireless user may be able to gain unauthorized access to a WLAN configured with local Dot1X termination of EAP-TLS authentications on the Aruba Mobility Controller. CVSS v2 BASE METRIC SCORE: 4.3 (AV:A/AC:M/AU:N/C:P/I:P/A:N) HOW TO IDENTIFY IF YOU ARE VULNERABLE If the following lines exist in your configuration for a particular aaa profile and that profile is assigned to an active virtual ap, then you are vulnerable. aaa authentication dot1x termination enable termination eap-type eap-tls ... ... ! WORKAROUNDS Aruba Networks recommends that all customers apply the appropriate patch(es) as soon as practical. However, in the event that a patch cannot immediately be applied, the following steps will help to mitigate the risk: - - - - Disable EAP-TLS Dot1X local termination for wireless users until such time as the patches can be applied and switch to using an external EAP-TLS server for authenticating wireless users. If local Dot1X termination can not be disabled, switch to using another EAP method to authenticate wireless users. SOLUTION Aruba Networks recommends that all customers apply the appropriate patch(es) as soon as practical. The following patches have the fix (any newer patch will also have the fix): - - - - 3.3.3.9 - - - - 3.4.3.1 - - - - 5.0.2.1 - - - - RN3.1.13 - - - - 3.3.2.20-FIPS - - - - 3.4.2.3-FIPS The FIPS releases noted above are currently undergoing FIPS certification and are available from Aruba on request. Patches for 3.3.1.X and 3.3.2.X releases would be made available on request as well. Please note: We highly recommend that you upgrade your Mobility Controller to the latest available patch on the Aruba support site corresponding to your currently installed release. +---------------------------------------------------- OBTAINING FIXED FIRMWARE Aruba customers can obtain the firmware on the support website: http://www.arubanetworks.com/support. Aruba Support contacts are as follows: 1-800-WiFiLAN (1-800-943-4526) (toll free from within North America) +1-408-754-1200 (toll call from anywhere in the world) e-mail: support(at)arubanetworks.com Please, do not contact either "wsirt(at)arubanetworks.com" or "security(at)arubanetworks.com" for software upgrades. EXPLOITATION AND PUBLIC ANNOUNCEMENTS This vulnerability will be announced at Aruba W.S.I.R.T. Advisory: http://www.arubanetworks.com/support/alerts/aid-011511.asc SecurityFocus Bugtraq http://www.securityfocus.com/archive/1 STATUS OF THIS NOTICE: Final Although Aruba Networks cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Aruba Networks does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Aruba Networks may update this advisory. A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. DISTRIBUTION OF THIS ANNOUNCEMENT This advisory will be posted on Aruba's website at: http://www.arubanetworks.com/support/alerts/aid-013111.asc Future updates of this advisory, if any, will be placed on Aruba's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. REVISION HISTORY Revision 1.0 / 01-31-2011 / Initial release ARUBA WSIRT SECURITY PROCEDURES Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at http://www.arubanetworks.com/support/wsirt.php For reporting *NEW* Aruba Networks security issues, email can be sent to wsirt(at)arubanetworks.com or security(at)arubanetworks.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at http://www.arubanetworks.com/support/wsirt.php (c) Copyright 2010 by Aruba Networks, Inc. This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================