Google security engineer Sven Blumenstein has identified over two dozen vulnerabilities affecting several products from HPE-owned network access solutions provider Aruba Networks.
An advisory published by Blumenstein on Friday details a total of 26 security issues discovered during a black box security assessment. The vulnerabilities impact all versions of ArubaOS, AirWave Management Platform 8.x versions prior to 8.2, and Aruba Instant access points (IAP) prior to 4.1.3.0 and 4.2.3.1.
Some of the more serious vulnerabilities found by the Google security engineer are related to Aruba’s proprietary PAPI protocol. The company has published an advisory detailing PAPI flaws and how to address the risks.
Blumenstein found that the AirWave Management Platform is plagued by at least four security holes. The list includes exposure of the RabbitMQ management interface, the use of a weak calculation algorithm for the cross-site request forgery (CSRF) token, a code/command injection flaw affecting the NTP configuration file, and a PAPI-related authentication bypass issue.
The expert discovered that Instant access points are plagued by 22 vulnerabilities, including the transmission of login credentials via HTTP, default accounts, remote code execution flaws, firmware-related weaknesses, information disclosure issues, and PAPI-related security bugs.
Aruba noted in its advisories that all Instant vulnerabilities have been assigned the CVE identifier CVE-2016-2031, and all the AirWave issues will be tracked as CVE-2016-2032. The vendor has rated most of the flaws as having low or medium severity; only some of the PAPI-related issues have been classified as having high severity.
The vulnerabilities were reported to Aruba on January 22 and since Google has a 90-day disclosure policy they should have been disclosed on April 22, but the vendor asked for a 14-day grace period. Aruba has patched many of the vulnerabilities, but the company says some of them cannot be fixed quickly. Security updates for these issues are expected to be released in the third quarter of 2016.
“The vulnerabilities were discovered during a black box security assessment and therefore the vulnerability list should not be considered exhaustive,” Blumenstein wrote in his advisory.
Related Reading: Cisco Patches Serious Flaws in FirePOWER, TelePresence
Related Reading: Juniper to Enhance RNG in ScreenOS

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Zyxel Firewalls Hacked by Mirai Botnet
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
- Drop in Insider Breaches Drives Decline in Intrusions at OT Organizations
- Zero-Day Vulnerability Exploited to Hack Barracuda Email Security Gateway Appliances
- OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers
- New Honeywell OT Cybersecurity Solution Helps Identify Vulnerabilities, Threats
- Rheinmetall Says Military Business Not Impacted by Ransomware Attack
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
