Google security engineer Sven Blumenstein has identified over two dozen vulnerabilities affecting several products from HPE-owned network access solutions provider Aruba Networks.
An advisory published by Blumenstein on Friday details a total of 26 security issues discovered during a black box security assessment. The vulnerabilities impact all versions of ArubaOS, AirWave Management Platform 8.x versions prior to 8.2, and Aruba Instant access points (IAP) prior to 220.127.116.11 and 18.104.22.168.
Some of the more serious vulnerabilities found by the Google security engineer are related to Aruba’s proprietary PAPI protocol. The company has published an advisory detailing PAPI flaws and how to address the risks.
Blumenstein found that the AirWave Management Platform is plagued by at least four security holes. The list includes exposure of the RabbitMQ management interface, the use of a weak calculation algorithm for the cross-site request forgery (CSRF) token, a code/command injection flaw affecting the NTP configuration file, and a PAPI-related authentication bypass issue.
The expert discovered that Instant access points are plagued by 22 vulnerabilities, including the transmission of login credentials via HTTP, default accounts, remote code execution flaws, firmware-related weaknesses, information disclosure issues, and PAPI-related security bugs.
Aruba noted in its advisories that all Instant vulnerabilities have been assigned the CVE identifier CVE-2016-2031, and all the AirWave issues will be tracked as CVE-2016-2032. The vendor has rated most of the flaws as having low or medium severity; only some of the PAPI-related issues have been classified as having high severity.
The vulnerabilities were reported to Aruba on January 22 and since Google has a 90-day disclosure policy they should have been disclosed on April 22, but the vendor asked for a 14-day grace period. Aruba has patched many of the vulnerabilities, but the company says some of them cannot be fixed quickly. Security updates for these issues are expected to be released in the third quarter of 2016.
“The vulnerabilities were discovered during a black box security assessment and therefore the vulnerability list should not be considered exhaustive,” Blumenstein wrote in his advisory.
Related Reading: Cisco Patches Serious Flaws in FirePOWER, TelePresence
Related Reading: Juniper to Enhance RNG in ScreenOS