Aruba Product Security Advisory
===============================
Advisory ID: ARUBA-PSA-2015-004
CVE: CVE-2015-1388
Publication Date: 2015-03-18
Status: Confirmed, Fixed
Revision: 1
Title
=====
Aruba Remote Access Point (RAP) Command Injection
Overview
========
Aruba has identified a problem with the "RAP Console" feature used in
Aruba access points operating in Remote AP mode.
Affected Products
=================
-- ArubaOS 5.x
-- ArubaOS 6.1.x
-- ArubaOS 6.2.x
-- ArubaOS 6.3 prior to 6.3.1.15
-- ArubaOS 6.4 prior to 6.4.2.4
Solution
========
Upgrade to one of the following software versions:
-- ArubaOS 6.3.1.15 or later
-- ArubaOS 6.4.2.4 or later
Note: ArubaOS 5.x, 6.1.x, and 6.2.x are no longer being actively developed, and
security patches are produced by default only for high-severity issues.
Customers who require patches for older versions should contact Aruba Technical Support
to make that request.
Details
=======
This vulnerability allows a local user to execute commands on the RAP's
underlying operating system with the privilege level of "root". Access
to the "RAP console" is available only to RAPs configured in bridge mode
or split-tunnel mode.
In order to protect customer networks, Aruba is providing no additional
details in the initial advisory. In accordance with our vulnerability
disclosure policy, Aruba will update this advisory in 60 days to provide
full details of the vulnerability.
Workaround
==========
Access to the "RAP console" interface may be disabled through use of a
firewall rule. See the ArubaOS User Guide section entitled,
"Configuring an ACL to Restrict Local Debug Homepage Access" for details.
An example of this ACL follows:
ip access-list session logon-control
user localip svc-http deny
user any permit
In the ACL above, the alias "localip" refers to the IP address of the RAP.
When applied to user traffic, this ACL would deny local users the ability
to establish an HTTP session with the RAP.
Vulnerability Metrics
=====================
Vulnerability Class: Improper Neutralization of Special Elements used in an OS Command (CWE-78)
Severity: Low
CVSSv2 Overall Score: 3.0
CVSSv2 Vector: (AV:L/AC:M/Au:S/C:P/I:P/A:N)
Discovery
=========
This issue was reported to Aruba's TAC by a customer.
Obtaining Fixed Software
========================
Aruba customers can obtain software updates on the support website:
http://support.arubanetworks.com
Aruba Support contacts are as follows:
+1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)
+1-408-754-1200 (toll call from anywhere in the world)
The full contact list is at:
http://www.arubanetworks.com/support-services/support-program/contact-support/
e-mail: support(at)arubanetworks.com
Please do not contact "sirt(at)arubanetworks.com" for software upgrades.
Revision History
================
Revision 1.0 / 2015-Mar-18 / Initial release
Aruba SIRT Security Procedures
==============================
Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at:
http://www.arubanetworks.com/support-services/security-bulletins/
For reporting *NEW* Aruba Networks security issues, email can be sent to
sirt(at)arubanetworks.com. For sensitive information we encourage the use of
PGP encryption. Our public keys can be found at:
http://www.arubanetworks.com/support-services/security-bulletins/
(c) Copyright 2015 by Aruba Networks, Inc.
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.