Security problems in "secure" Aruba wireless controllers
Jan Münther and Maxim Salomon of security company n.runs have discovered two security problems in Aruba wireless controllers. First up, it is possible to obtain access to the administrator front end using a guest access, without needing to enter further login information. Secondly, a buffer overflow may occur on the heap in the management interface if overly long login data is used. According to n.runs, this may lead to execution of injected code.
The severity of these problems is exacerbated by the fact that Aruba's access points, which are not exactly cheap, are primarily used in business and government agency environments with special security requirements. Aruba promotes its products on the basis of its certification to FIPS 140-2, a US security standard for governmental agencies. An application for certification to Common Criteria EAL4 has been made for the Aruba 800 and 6000 Mobility Controller and was expected in early 2007.
Aruba Networks Mobility Controllers (200, 800, 2400, and 6000) running software versions greater than 2.0 and the Alcatel-Lucent OmniAccess Wireless 43xx and 6000 are affected. According to n.runs, Aruba has made updated firmware available to customers to fix these the problems, via it's support pages. As a workaround users can and should make access to the administrator interface as restrictive as possible and if possible even restrict it to the console.
- Aruba Mobility Controller Management Buffer Overflow by n.runs
- Aruba Networks - Unauthorized Administrative and WLAN Access through Guest Account by n.runs