Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2015-004 CVE: CVE-2015-1388 Publication Date: 2015-03-18 Status: Confirmed, Fixed Revision: 1 Title ===== Aruba Remote Access Point (RAP) Command Injection Overview ======== Aruba has identified a problem with the "RAP Console" feature used in Aruba access points operating in Remote AP mode. Affected Products ================= -- ArubaOS 5.x -- ArubaOS 6.1.x -- ArubaOS 6.2.x -- ArubaOS 6.3 prior to 6.3.1.15 -- ArubaOS 6.4 prior to 6.4.2.4 Solution ======== Upgrade to one of the following software versions: -- ArubaOS 6.3.1.15 or later -- ArubaOS 6.4.2.4 or later Note: ArubaOS 5.x, 6.1.x, and 6.2.x are no longer being actively developed, and security patches are produced by default only for high-severity issues. Customers who require patches for older versions should contact Aruba Technical Support to make that request. Details ======= This vulnerability allows a local user to execute commands on the RAP's underlying operating system with the privilege level of "root". Access to the "RAP console" is available only to RAPs configured in bridge mode or split-tunnel mode. In order to protect customer networks, Aruba is providing no additional details in the initial advisory. In accordance with our vulnerability disclosure policy, Aruba will update this advisory in 60 days to provide full details of the vulnerability. Workaround ========== Access to the "RAP console" interface may be disabled through use of a firewall rule. See the ArubaOS User Guide section entitled, "Configuring an ACL to Restrict Local Debug Homepage Access" for details. An example of this ACL follows: ip access-list session logon-control user localip svc-http deny user any permit In the ACL above, the alias "localip" refers to the IP address of the RAP. When applied to user traffic, this ACL would deny local users the ability to establish an HTTP session with the RAP. Vulnerability Metrics ===================== Vulnerability Class: Improper Neutralization of Special Elements used in an OS Command (CWE-78) Severity: Low CVSSv2 Overall Score: 3.0 CVSSv2 Vector: (AV:L/AC:M/Au:S/C:P/I:P/A:N) Discovery ========= This issue was reported to Aruba's TAC by a customer. Obtaining Fixed Software ======================== Aruba customers can obtain software updates on the support website: http://support.arubanetworks.com Aruba Support contacts are as follows: +1-800-WiFiLAN (1-800-943-4526) (toll free from within North America) +1-408-754-1200 (toll call from anywhere in the world) The full contact list is at: http://www.arubanetworks.com/support-services/support-program/contact-support/ e-mail: support(at)arubanetworks.com Please do not contact "sirt(at)arubanetworks.com" for software upgrades. Revision History ================ Revision 1.0 / 2015-Mar-18 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to sirt(at)arubanetworks.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2015 by Aruba Networks, Inc. This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information.