Aruba fixes networking device flaws that could open doors for hackers

The flaws affect ArubaOS, the AirWave Management Platform (AMP) and Aruba Instant (IAP)

Wireless networking device manufacturer Aruba Networks has fixed multiple vulnerabilities in its software that could, under certain circumstances, allow attackers to compromise devices.

The vulnerabilities were discovered by Sven Blumenstein from the Google Security Team and affect ArubaOS, Aruba's AirWave Management Platform (AMP) and Aruba Instant (IAP).

There are 26 different issues, ranging from privileged remote code execution to information disclosure, insecure updating mechanism and insecure storage of credentials and private keys. However, Aruba combined them all under two CVE tracking IDs: CVE-2016-2031 and CVE-2016-2032.

Common issues that are shared by all of the affected software packages have to do with design flaws in an Aruba proprietary management and control protocol dubbed PAPI.

"The PAPI protocol contains a number of unremediated flaws, including: MD5 message digests are not properly validated upon receipt, PAPI encryption protocol is weak; all Aruba devices use a common static key for message validation," Aruba, which is a Hewlett Packard Enterprise subsidiary, said in an advisory.

The impact of these issues vary depending on the network configuration, but the company plans to fix them in Aruba Instant and AirWave Management Platform later this year.

The planned update will change PAPI so that it operates within a secure channel such as DTLS or IPsec, the company said. Until then, customers can apply the recommendations included in the "Control Plane Security Best Practices" document that was published on the company's support portal.

Most of the other flaws were fixed in IAP 4.1.3.0 and 4.2.3.1 and AMP 8.2.0.

There are two issues in IAP that Aruba does not consider security vulnerabilities, but because they're not in line with industry best practices the company will fix them in a future update.

One of them stems from the use of a static password for an engineering support mode that provides additional configuration and diagnostic capabilities, the misuse of which could result in physical damage to the AP hardware. This mode can only be accessed from an authenticated administrative session so potential attackers would already need to have access to administrative credentials.

The other issue stems from the use of a static key to encrypt all passwords stored in the IAP configuration file. If such a file is stolen, an attacker could reverse engineer the platform's code to extract the key and decrypt the passwords.

Join the PC World newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?