Information Security all in one place!

Aruba Networks: OS command injection in RAP web interface and 802.1X EAP-TLS user authentication

offical logo of Aruba Networks

 

An OS command injection vulnerability has been discovered in the Aruba Remote Access Point’s Diagnostic Web Interface. When running the diagnostic web interface, arbitrary system commands can be executed as the root user on the Remote device by an unauthenticated attacker.

The Remote Access Point provides a web interface to facilitate initial provisioning of the device. This web interface provides functionality to run some basic network diagnostics and enter configuration parameters necessary for successful provisioning. An OS command injection vulnerability has been discovered in this web interface where malicious user input can be injected via form elements and run arbitrary system commands on the device as root user. This diagnostic web interface can be disabled after initial provisioning of the device.

An unauthenticated attacker can run arbitrary system commands on the device as root user. This could lead to a full compromise of the device’s operating system.

This vulnerability applies only to the Aruba Remote Access Point and other Aruba devices are not affected.

Aruba Networks recommends not allowing access to the Aruba Remote Access
Point’s diagnostic web interface after initial provisioning by applying an
access list (acl) to block HTTP and HTTPS protocol to its local IP. This
restricted acl needs to be in the highest position of the acl rules for
each user-role that should not have access to the diagnostic web
interface.

Example restricted IP access list added to a user-role called guest:

ip access-list session local_debug_restricted
user localip svc-http deny
user localip svc-https deny

user-role guest
access-list session local_debug_restricted
access-list session dns-acl
access-list session dhcp-acl
access-list session icmp-acl
access-list session http-acl
access-list session https-acl

Aruba Networks recommends that all customers apply the appropriate
patch(es) as soon as practical.

The following patches have the fix (any newer patch will also have the
fix):

– – – ArubaOS 5.0.4.2
– – – ArubaOS 6.0.2.1
– – – ArubaOS 6.1.2.4

Advertisements

Let's hear what you have to say.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s