Now on Demand: Zero Trust Strategies Summit - Access All Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Over Two Dozen Flaws Found in Aruba Products

Google security engineer Sven Blumenstein has identified over two dozen vulnerabilities affecting several products from HPE-owned network access solutions provider Aruba Networks.

Google security engineer Sven Blumenstein has identified over two dozen vulnerabilities affecting several products from HPE-owned network access solutions provider Aruba Networks.

An advisory published by Blumenstein on Friday details a total of 26 security issues discovered during a black box security assessment. The vulnerabilities impact all versions of ArubaOS, AirWave Management Platform 8.x versions prior to 8.2, and Aruba Instant access points (IAP) prior to 4.1.3.0 and 4.2.3.1.

Some of the more serious vulnerabilities found by the Google security engineer are related to Aruba’s proprietary PAPI protocol. The company has published an advisory detailing PAPI flaws and how to address the risks.

Blumenstein found that the AirWave Management Platform is plagued by at least four security holes. The list includes exposure of the RabbitMQ management interface, the use of a weak calculation algorithm for the cross-site request forgery (CSRF) token, a code/command injection flaw affecting the NTP configuration file, and a PAPI-related authentication bypass issue.

The expert discovered that Instant access points are plagued by 22 vulnerabilities, including the transmission of login credentials via HTTP, default accounts, remote code execution flaws, firmware-related weaknesses, information disclosure issues, and PAPI-related security bugs.

Aruba noted in its advisories that all Instant vulnerabilities have been assigned the CVE identifier CVE-2016-2031, and all the AirWave issues will be tracked as CVE-2016-2032. The vendor has rated most of the flaws as having low or medium severity; only some of the PAPI-related issues have been classified as having high severity.

The vulnerabilities were reported to Aruba on January 22 and since Google has a 90-day disclosure policy they should have been disclosed on April 22, but the vendor asked for a 14-day grace period. Aruba has patched many of the vulnerabilities, but the company says some of them cannot be fixed quickly. Security updates for these issues are expected to be released in the third quarter of 2016.

“The vulnerabilities were discovered during a black box security assessment and therefore the vulnerability list should not be considered exhaustive,” Blumenstein wrote in his advisory.

Advertisement. Scroll to continue reading.

Related Reading: Cisco Patches Serious Flaws in FirePOWER, TelePresence

Related Reading: Juniper to Enhance RNG in ScreenOS

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.