Aruba AirWave admin? Get the latest patch

XML and cross-site scripting bug-fixes

Aruba AirWave systems need patching against multiple bugs in their control interface.

Posted to Full Disclosure by SEC Consult, there are two problems with the kit: an XML External Entity Injection attack; and a reflected cross-site scripting (XSS) attack.

Both can be exploited remotely.

In CVE-2016-8526, the XML parser used by the AirWave control panel resolves external XML entities, so an attacker can read files and port-scan the internal network by sending commands to the parser.

The advisory adds that files on the AirWave are encrypted using a shared static key, meaning privilege escalation is also feasible.

The second bug, CVE-2016-8527, allows reflected XSS. “Due to the lack of input validation, an attacker can insert malicious JavaScript code to be executed under a victim's browser context”, the advisory says (with proof-of-concept).

The bugs are fixed in Aruba AirWave 8.2.3.1, released in late February. ®


Biting the hand that feeds IT © 1998–2017