Google security engineer Sven Blumenstein has identified over two dozen vulnerabilities affecting several products from HPE-owned network access solutions provider Aruba Networks.
An advisory published by Blumenstein on Friday details a total of 26 security issues discovered during a black box security assessment. The vulnerabilities impact all versions of ArubaOS, AirWave Management Platform 8.x versions prior to 8.2, and Aruba Instant access points (IAP) prior to 4.1.3.0 and 4.2.3.1.
Some of the more serious vulnerabilities found by the Google security engineer are related to Aruba’s proprietary PAPI protocol. The company has published an advisory detailing PAPI flaws and how to address the risks.
Blumenstein found that the AirWave Management Platform is plagued by at least four security holes. The list includes exposure of the RabbitMQ management interface, the use of a weak calculation algorithm for the cross-site request forgery (CSRF) token, a code/command injection flaw affecting the NTP configuration file, and a PAPI-related authentication bypass issue.
The expert discovered that Instant access points are plagued by 22 vulnerabilities, including the transmission of login credentials via HTTP, default accounts, remote code execution flaws, firmware-related weaknesses, information disclosure issues, and PAPI-related security bugs.
Aruba noted in its advisories that all Instant vulnerabilities have been assigned the CVE identifier CVE-2016-2031, and all the AirWave issues will be tracked as CVE-2016-2032. The vendor has rated most of the flaws as having low or medium severity; only some of the PAPI-related issues have been classified as having high severity.
The vulnerabilities were reported to Aruba on January 22 and since Google has a 90-day disclosure policy they should have been disclosed on April 22, but the vendor asked for a 14-day grace period. Aruba has patched many of the vulnerabilities, but the company says some of them cannot be fixed quickly. Security updates for these issues are expected to be released in the third quarter of 2016.
“The vulnerabilities were discovered during a black box security assessment and therefore the vulnerability list should not be considered exhaustive,” Blumenstein wrote in his advisory.
Related Reading: Cisco Patches Serious Flaws in FirePOWER, TelePresence
Related Reading: Juniper to Enhance RNG in ScreenOS
Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- China’s Offensive Cyber Operations in Africa Support Soft Power Efforts
- SANS Survey Shows Drop in 2023 ICS/OT Security Budgets
- Apple Patches 3 Zero-Days Likely Exploited by Spyware Vendor to Hack iPhones
- Cisco to Acquire Splunk for $28 Billion
- Car Cybersecurity Study Shows Drop in Critical Vulnerabilities Over Past Decade
- Omron Patches PLC, Engineering Software Flaws Discovered During ICS Malware Analysis
- Intel Launches New Attestation Service as Part of Trust Authority Portfolio
- Atos Unify Vulnerabilities Could Allow Hackers to Backdoor Systems
Latest News
- Researchers Discover Attempt to Infect Leading Egyptian Opposition Politician With Predator Spyware
- In Other News: New Analysis of Snowden Files, Yubico Goes Public, Election Hacking
- China’s Offensive Cyber Operations in Africa Support Soft Power Efforts
- Air Canada Says Employee Information Accessed in Cyberattack
- BIND Updates Patch Two High-Severity DoS Vulnerabilities
- Faster Patching Pace Validates CISA’s KEV Catalog Initiative
- SANS Survey Shows Drop in 2023 ICS/OT Security Budgets
- Apple Patches 3 Zero-Days Likely Exploited by Spyware Vendor to Hack iPhones
