Advisory ID: SYSS-2016-085 Product: AOS Manufacturer: Aruba Networks Affected Version(s): 6.3.1.19 Tested Version(s): 6.3.1.19 on an RAP-3 router Vulnerability Type: Improper Authentication Risk Level: High Solution Status: Open Manufacturer Notification: 2016-09-06 Solution Date: -- Public Disclosure: 2016-11-07 CVE Reference: Not yet assigned Author of Advisory: Klaus Tichmann, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: AOS is a Linux-based Operating System designed for routers produced by Aruba Networks. Its shell uses a modified variant of the Busybox shell that restricts the capabilities of the root user until the special command enable and a password is used. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The "enable" protection can be bypassed by pressing the special key sequence [Esc] [Ctrl]-K. As this is an undocument feature or not documentation for this feature could be found, the SySS regards this as a backdoor. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): After entering the special key sequence, the shell emits the message Switching to Full Access and grants all permissions in the current shell session. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: According to the vendor, the "enable"-functionality is not a security feature. Therefore, no direct fix will be provided. The vendor recommends to upgrade to the newest version of the operating system which allows for disabling of the hardware console. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2016-09-01: Vulnerability discovered 2016-09-06: Vulnerability reported to manufacturer 2016-11-07: Public disclusure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product information for AOS http://www.arubanetworks.com/assets/ds/DS_AOS.pdf [2] Product website for RAP-3WNP http://www.arubanetworks.com/products/networking/access-points/rap-3/ [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Klaus Tichmann of the SySS GmbH. E-Mail: klaus.tichmann@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Klaus_Tichmann.asc Key ID: 0x99042A60 Key Fingerprint: B51E A884 B3F8 4D72 B705 4B91 4EBD A263 9904 2A60 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en