-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Aruba Networks Security Advisory Title: DoS Vulnerability in Aruba Mobility Controller Caused by Malformed EAP Frame. Aruba Advisory ID: AID-12808 Revision: 1.0 For Public Release on 12/8/2008 +---------------------------------------------------- SUMMARY A Denial of Service (DoS) vulnerability was discovered during standard bug reporting procedures in the Aruba Mobility Controller. A malformed EAP frame causes a process crash on the Aruba Mobility Controller causing a temporary DoS condition for new clients configured to use EAP authentication. Prior successful security association is not required to cause this condition. The Mobility Controller recovers automatically by restarting the affected process. AFFECTED ArubaOS VERSIONS 2.4.8.x-FIPS, 2.5.x, 3.1.x, 3.2.x, 3.3.1.x, and 3.3.2.x versions DETAILS Extensible Authentication Protocol (EAP) is a framework used for authentication in wireless and point-point connections (RFC 3748). Aruba Mobility Controller accepts EAP frames on both wireless interfaces (via its thin APs) and wired interfaces (via devices connected to untrusted physical ports on the controller). In 802.11 networks, EAP frames are only used when WPA/WPA2 Enterprise modes are being used. A malformed EAP frame causes a process crash on the Aruba Mobility Controller. An attacking station does not need to have completed a successful security association prior to launching this attack against the controller. IMPACT An attacker can inject a malformed EAP frame and cause a process crash on the Aruba Mobility Controller. This causes a service outage for new clients configured to use EAP authentication. The Mobility Controller recovers automatically by restarting the affected process. An attacker could however cause a prolonged DoS condition by flooding the Aruba Mobility Controller with malicious EAP frames. For wireless, this vulnerability only applies when operating in WPA/WPA2 Enterprise modes. WPA/WPA2-PSK modes are unaffected by this vulnerability and so are open/WEP based wireless networks. This vulnerability does affect wired devices connected to untrusted physical ports of the Mobility Controller. CVSS v2 BASE METRIC SCORE: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P) WORKAROUNDS Aruba Networks recommends that all customers that are using EAP authentication apply the appropriate patch(es) as soon as practical. However, in the event that a patch cannot immediately be applied, the following steps might help in mitigating the risk: - - - Aruba Mobility Controllers allows for a mode of operation where a wireless client's EAP communication terminates on the controller, rather than on an authentication server (RADIUS server, LDAP server etc.). The Mobility Controller in turn queries the authentication server on behalf of the client using non EAP messages. This mode is referred to as "EAP-Offload" and is immune to this vulnerability. Enabling this mode on the Mobility Controller can be used as a workaround until the patch(es) can be applied. EAP-Offload is not supported for wired client devices. SOLUTION Aruba Networks recommends that all customers apply the appropriate patch(es) as soon as practical. However, in the event that a patch can not immediately be applied, the workaround steps will help to mitigate the risk. +---------------------------------------------------- OBTAINING FIXED FIRMWARE Aruba customers can obtain the firmware on the support website: http://www.arubanetworks.com/support. Aruba Support contacts are as follows: 1-800-WiFiLAN (1-800-943-4526) (toll free from within North America) +1-408-754-1200 (toll call from anywhere in the world) e-mail: support(at)arubanetworks.com Please, do not contact either "wsirt(at)arubanetworks.com" or "security(at)arubanetworks.com" for software upgrades. EXPLOITATION AND PUBLIC ANNOUNCEMENTS This vulnerability will be announced at Aruba W.S.I.R.T. Advisory: http://www.arubanetworks.com/support/alerts/aid-12808.asc SecurityFocus Bugtraq http://www.securityfocus.com/archive/1 STATUS OF THIS NOTICE: Final Although Aruba Networks cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Aruba Networks does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Aruba Networks may update this advisory. A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. DISTRIBUTION OF THIS ANNOUNCEMENT This advisory will be posted on Aruba's website at: http://www.arubanetworks.com/support/alerts/aid-12808.asc Future updates of this advisory, if any, will be placed on Aruba's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. REVISION HISTORY ~ Revision 1.0 / 12-8-2008 / Initial release ARUBA WSIRT SECURITY PROCEDURES Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at ~ http://www.arubanetworks.com/support/wsirt.php For reporting *NEW* Aruba Networks security issues, email can be sent to wsirt(at)arubanetworks.com or security(at)arubanetworks.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at http://www.arubanetworks.com/support/wsirt.php ~ (c) Copyright 2008 by Aruba Networks, Inc. This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkk9c5kACgkQp6KijA4qefU7vACg4RsVQOwBPeGRdcf7/iOmXQTE RNcAnRvRz7XFOHeOyRCcMFI5FF1synMd =e8RT -----END PGP SIGNATURE-----