Aruba! Aruba! Patch now, patch fast!
Google bug-hunters disclose 26 vulnerabilities
Aruba Networks is slinging patches at a bunch of vulnerabilities in management platforms, its Aruba Instant Platform, and its proprietary ArubaOS PAPI management API.
The company posted three advisories here after Google put it on a 90-day deadline, with the Chocolate Factory's Sven Blumenstein dropping a consolidated report of 26 individual vulns at Full Disclosure on Friday.
Al are considered “urgent”, according to the HP subsidiary.
In a tone of some irritation, Aruba says it's “reminding” customers that PAPI “is not a secure protocol”.
The updated disclosure was issued because Blumenstein's post went beyond what Aruba had already disclosed, to include details of vulnerabilities. These include:
- MD5 message digests are not properly validated upon receipt;
- PAPI encryption protocol is weak; and
- All Aruba devices use a common static key for message validation.
Aruba says customers should read up on mitigation in its Control Plane Security Best Practices at Aruba support.
In a set of vulnerabilities covered by CVE-2016-2031, the company has announced fixes for its Aruba Instant platform (AIP).
Users need to upgrade to IAP version 220.127.116.11 or 18.104.22.168 depending on the kit they run, to patch bugs that include:
- Insecure transmission of login credentials (using HTTP GET);
- A static password for AIP's engineering support mode. It says since the support mode has to be accessed from an authenticated session, “Aruba does not consider this to be a vulnerability“, but it will work on adding a challenge-response to the support login;
- A remote code execution bug, fixed;
- Information disclosure and firmware update bugs; a hard-coded certificate with private key issue; PAPI bugs; an LLDP information disclosure bug; and a static key used to encrypt user passwords.
AirWave Management Platform software in the 8.x series, prior to version 8.2, rounds out the bug-hunt.
The bugs disclosed in CVE-2016-2032 include an exposed RabbitMQ management interface; weak XSRF token generation; and an exposed NTP configuration file that attackers could modify. AirWave users are told to upgrade to version 8.2.0 or higher.
Both AirWave and Aruba Instant also inherit the PAPI protocol issues disclosed in CVE-2016-2032. ®