Connect with us

Hi, what are you looking for?


Network Security

Over Two Dozen Flaws Found in Aruba Products

Google security engineer Sven Blumenstein has identified over two dozen vulnerabilities affecting several products from HPE-owned network access solutions provider Aruba Networks.

Google security engineer Sven Blumenstein has identified over two dozen vulnerabilities affecting several products from HPE-owned network access solutions provider Aruba Networks.

An advisory published by Blumenstein on Friday details a total of 26 security issues discovered during a black box security assessment. The vulnerabilities impact all versions of ArubaOS, AirWave Management Platform 8.x versions prior to 8.2, and Aruba Instant access points (IAP) prior to and

Some of the more serious vulnerabilities found by the Google security engineer are related to Aruba’s proprietary PAPI protocol. The company has published an advisory detailing PAPI flaws and how to address the risks.

Blumenstein found that the AirWave Management Platform is plagued by at least four security holes. The list includes exposure of the RabbitMQ management interface, the use of a weak calculation algorithm for the cross-site request forgery (CSRF) token, a code/command injection flaw affecting the NTP configuration file, and a PAPI-related authentication bypass issue.

The expert discovered that Instant access points are plagued by 22 vulnerabilities, including the transmission of login credentials via HTTP, default accounts, remote code execution flaws, firmware-related weaknesses, information disclosure issues, and PAPI-related security bugs.

Aruba noted in its advisories that all Instant vulnerabilities have been assigned the CVE identifier CVE-2016-2031, and all the AirWave issues will be tracked as CVE-2016-2032. The vendor has rated most of the flaws as having low or medium severity; only some of the PAPI-related issues have been classified as having high severity.

The vulnerabilities were reported to Aruba on January 22 and since Google has a 90-day disclosure policy they should have been disclosed on April 22, but the vendor asked for a 14-day grace period. Aruba has patched many of the vulnerabilities, but the company says some of them cannot be fixed quickly. Security updates for these issues are expected to be released in the third quarter of 2016.

Advertisement. Scroll to continue reading.

“The vulnerabilities were discovered during a black box security assessment and therefore the vulnerability list should not be considered exhaustive,” Blumenstein wrote in his advisory.

Related Reading: Cisco Patches Serious Flaws in FirePOWER, TelePresence

Related Reading: Juniper to Enhance RNG in ScreenOS

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...