[SECURITY-L] [Openssl heartbeat] Aruba Networks Security Advisory 040814]

Qua Abr 9 11:01:22 -03 2014

----- Forwarded message from Aruba Networks Customer Advocacy <noreply em arubanetworks.com> -----

Date: 9 Apr 2014 02:45:10 -0700
From: Aruba Networks Customer Advocacy <noreply em arubanetworks.com>
To: noc em unicamp.br
Subject: Aruba Networks Security Advisory 040814

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear Aruba Networks Customer/Partner: 

The purpose of this advisory is to address an important issue that affects
Aruba Products that use the OpenSSL 1.0.1 Library.

Advisory Number 040814
CVE-2014-0160

TITLE

OpenSSL 1.0.1 library (Heartbleed) vulnerability. 

SUMMARY

There is a very serious vulnerability that has been discovered in the 
OpenSSL 1.0.1 library. This vulnerability can allow an external attacker
to extract segments of memory from a remote system without leaving any
traces. This memory could contain vital security information, including
private keys. These keys, in turn, could be used to mount a man-in-the-middle
attack.

AFFECTED VERSIONS

— ArubaOS 6.3.x, 6.4.x 
— ClearPass 6.1.x, 6.2.x, 6.3.x

Previous versions of these products used an earlier version of OpenSSL 
that is not vulnerable. No other Aruba products, including AirWave, Instant,
run these compromised versions of OpenSSL. Aruba Central, Aruba Network’s 
cloud-based Wi-Fi offering, upgraded their web infrastructure to the latest,
safe, version of OpenSSL on April 7 after the attack was first published.

DETAILS

OpenSSL is a very widely used library, and this vulnerability is likely to 
affect many systems and websites. Aruba Networks uses this library in 
different products to secure communications between our infrastructure and 
various clients. This bug is in OpenSSL's implementation of the TLS/DTLS 
(transport layer security protocols) heartbeat extension (RFC6520). 
When exploited it leads to the leak from the server to the client.  
In some cases it has been demonstrated that key material may be part of 
this memory leak.

DISCOVERY

This vulnerability was announced through CVE-2014-0160.

IMPACT

OpenSSL is used in a variety of ways in Aruba products, including:
* HTTPS communications via the Administrative Web GUI
* HTTPS communications via Captive Portals
* Secure RADIUS communication
* Secure communication with some third party APIs

CVSS v2 Base Score:5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N)

MITIGATION

As always, Aruba Networks recommends that best security practices are 
followed, including reduction of possible attack surface areas by use 
of access control methods such as network-level ACLs to restrict access.
However, given the ubiquitous use of OpenSSL, this may not completely 
protect your infrastructure.

SOLUTION

Aruba Networks will be publishing patch releases for the effected products
by EOB April 10, 2014. We recommend that all customers upgrade to these 
versions immediately. 

ArubaOS 6.3.1.5 
ArubaOS 6.4.0.3
ClearPass 6.1.X
ClearPass 6.2.X
ClearPass 6.3.X

Given that there is a chance that key material may already 
have been compromised, we are further advising customers to consider 
replacing your certificates after the upgrade is completed. 

+----------------------------------------------------

OBTAINING FIXED FIRMWARE

Aruba customers can obtain the firmware on the support website:
	http://support.arubanetworks.com

Aruba Support contacts are as follows:

	1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)

	+1-408-754-1200 (toll call from anywhere in the world)

	The full contact list is at:
	http://www.arubanetworks.com/support-services/support-program/contact-support/

	e-mail: support(at)arubanetworks.com

Please, do not contact either "wsirt(at)arubanetworks.com" or 
"security(at)arubanetworks.com" for software upgrades.

EXPLOITATION AND PUBLIC ANNOUNCEMENTS

This vulnerability will be announced at 

Aruba W.S.I.R.T. Advisory:
http://www.arubanetworks.com/support/alerts/aid-040814.asc

STATUS OF THIS NOTICE: Final

Although Aruba Networks cannot guarantee the accuracy of all statements
in this advisory, all of the facts have been checked to the best of our
ability. Aruba Networks does not anticipate issuing updated versions of
this advisory unless there is some material change in the facts. Should
there be a significant change in the facts, Aruba Networks may update
this advisory.

A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an uncontrolled
copy, and may lack important information or contain factual errors.

DISTRIBUTION OF THIS ANNOUNCEMENT

This advisory will be posted on Aruba's website at:
http://www.arubanetworks.com/support/alerts/aid-040814.asc

Future updates of this advisory, if any, will be placed on Aruba's worldwide
website, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
above URL for any updates.

REVISION HISTORY

      Revision 1.0 / 04-08-2014 / Initial release

ARUBA WSIRT SECURITY PROCEDURES

Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at

http://www.arubanetworks.com/support-services/security-bulletins/

For reporting *NEW* Aruba Networks security issues, email can be sent to
wsirt(at)arubanetworks.com or security(at)arubanetworks.com. For sensitive
information we encourage the use of PGP encryption. Our public keys can be
found at 

http://www.arubanetworks.com/support-services/security-bulletins/

(c) Copyright 2014 by Aruba Networks, Inc.
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (MingW32)

iEYEARECAAYFAlNFCRYACgkQp6KijA4qefWDrwCgqLLPkAbhCUEXRGuz7wHmPeOY
H7EAoNG4mdPkU5CGx4UjmQWHkLYZJz7y
=VkbY
-----END PGP SIGNATURE-----

----- End forwarded message -----