Aruba Mobility Controller EAP帧远程拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1184319 漏洞类型 资源管理错误
发布时间 2008-12-08 更新时间 2008-12-18
CVE编号 CVE-2008-5563 CNNVD-ID CNNVD-200812-248
漏洞平台 N/A CVSS评分 7.8
|漏洞来源
https://www.securityfocus.com/bid/32694
https://cxsecurity.com/issue/WLB-2008120123
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200812-248
|漏洞详情
ArubaMobilityController可为企业提供移动接入解决方案。ArubaMobilityController接受来自无线接口(AP)和有线接口(连接到控制器物理端口的设备)帧。在802.11网络中,仅在使用WPA/WPA2Enterprise模式的时候才会使用EAP帧。畸形的EAP帧会在ArubaMobilityController上导致进程崩溃,配置为使用EAP认证的客户端会遇到临时的拒绝服务,重启受影响的进程后MobilityController会自动恢复正常运行。
|漏洞EXP
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Aruba Networks Security Advisory

Title: DoS Vulnerability in Aruba Mobility Controller Caused by
Malformed EAP Frame.

Aruba Advisory ID: AID-12808
Revision: 1.0

For Public Release on 12/8/2008

+----------------------------------------------------

SUMMARY

A Denial of Service (DoS) vulnerability was discovered during standard
bug reporting procedures
in the Aruba Mobility Controller. A malformed EAP frame causes a process
crash on the Aruba
Mobility Controller causing a temporary DoS condition for new clients
configured to use EAP
authentication. Prior successful security association is not required to
cause this condition.
The Mobility Controller recovers automatically by restarting the
affected process.

AFFECTED ArubaOS VERSIONS

2.4.8.x-FIPS, 2.5.x, 3.1.x, 3.2.x, 3.3.1.x, and 3.3.2.x versions

DETAILS

Extensible Authentication Protocol (EAP) is a framework used for
authentication in wireless and
point-point connections (RFC 3748). Aruba Mobility Controller accepts
EAP frames on both wireless
interfaces (via its thin APs) and wired interfaces (via devices
connected to untrusted physical
ports on the controller). In 802.11 networks, EAP frames are only used
when WPA/WPA2 Enterprise
modes are being used.

A malformed EAP frame causes a process crash on the Aruba Mobility
Controller. An attacking station
does not need to have completed a successful security association prior
to launching this attack
against the controller.

IMPACT

An attacker can inject a malformed EAP frame and cause a process crash
on the Aruba Mobility
Controller. This causes a service outage for new clients configured to
use EAP authentication.
The Mobility Controller recovers automatically by restarting the
affected process.  An attacker
could however cause a prolonged DoS condition by flooding the Aruba
Mobility Controller with
malicious EAP frames.

For wireless, this vulnerability only applies when operating in WPA/WPA2
Enterprise modes.
WPA/WPA2-PSK modes are unaffected by this vulnerability and so are
open/WEP based wireless networks.
This vulnerability does affect wired devices connected to untrusted
physical ports of the Mobility
Controller.

CVSS v2 BASE METRIC SCORE: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

WORKAROUNDS

Aruba Networks recommends that all customers that are using EAP
authentication apply the
appropriate patch(es) as soon as practical.  However, in the event that
a patch cannot
immediately be applied, the following steps might help in mitigating the
risk:

- - - Aruba Mobility Controllers allows for a mode of operation where a
wireless client's
EAP communication terminates on the controller, rather than on an
authentication server (RADIUS
server, LDAP server etc.). The Mobility Controller in turn queries the
authentication server on
behalf of the client using non EAP messages. This mode is referred to as
"EAP-Offload" and is
immune to this vulnerability. Enabling this mode on the Mobility
Controller can be used as a
workaround until the patch(es) can be applied. EAP-Offload is not
supported for wired client
devices.

SOLUTION

Aruba Networks recommends that all customers apply the appropriate
patch(es) as soon as practical.  However, in the event that a patch
can not immediately be applied, the workaround steps will help to mitigate
the risk.

+----------------------------------------------------

OBTAINING FIXED FIRMWARE

Aruba customers can obtain the firmware on the support website:
	http://www.arubanetworks.com/support.

Aruba Support contacts are as follows:

1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)

+1-408-754-1200 (toll call from anywhere in the world)

e-mail: support(at)arubanetworks.com

Please, do not contact either "wsirt(at)arubanetworks.com" or
"security(at)arubanetworks.com" for software upgrades.

EXPLOITATION AND PUBLIC ANNOUNCEMENTS

This vulnerability will be announced at

Aruba W.S.I.R.T. Advisory:
http://www.arubanetworks.com/support/alerts/aid-12808.asc

SecurityFocus Bugtraq
http://www.securityfocus.com/archive/1

STATUS OF THIS NOTICE: Final

Although Aruba Networks cannot guarantee the accuracy of all statements
in this advisory, all of the facts have been checked to the best of our
ability. Aruba Networks does not anticipate issuing updated versions of
this advisory unless there is some material change in the facts. Should
there be a significant change in the facts, Aruba Networks may update
this advisory.

A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an uncontrolled
copy, and may lack important information or contain factual errors.

DISTRIBUTION OF THIS ANNOUNCEMENT

This advisory will be posted on Aruba's website at:
http://www.arubanetworks.com/support/alerts/aid-12808.asc

Future updates of this advisory, if any, will be placed on Aruba's worldwide
website, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
above URL for any updates.

REVISION HISTORY

~      Revision 1.0 / 12-8-2008 / Initial release

ARUBA WSIRT SECURITY PROCEDURES

Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at
~      http://www.arubanetworks.com/support/wsirt.php

For reporting *NEW* Aruba Networks security issues, email can be sent to
wsirt(at)arubanetworks.com or security(at)arubanetworks.com. For sensitive
information we encourage the use of PGP encryption. Our public keys can be
found at
	http://www.arubanetworks.com/support/wsirt.php

~      (c) Copyright 2008 by Aruba Networks, Inc.
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk9c5kACgkQp6KijA4qefU7vACg4RsVQOwBPeGRdcf7/iOmXQTE
RNcAnRvRz7XFOHeOyRCcMFI5FF1synMd
=e8RT
-----END PGP SIGNATURE-----
|受影响的产品
Aruba Networks Aruba Mobility Controllers 2.5.4 .18 Aruba Networks Aruba Mobility Controllers 2.5.4 .17 Aruba Networks Aruba Mobility Controllers 2.4.8 .6-FIPS Aruba Networks Aruba Mobility Controllers 2.4.8
|参考资料

来源:SECTRACK
名称:1021362
链接:http://www.securitytracker.com/id?1021362
来源:BID
名称:32694
链接:http://www.securityfocus.com/bid/32694
来源:BUGTRAQ
名称:20081208DoSVulnerabilityinArubaMobilityControllerCausedbyMalformedEAPFrame(ArubaAdvisoryID:AID-12808)
链接:http://www.securityfocus.com/archive/1/archive/1/499014/100/0/threaded
来源:www.arubanetworks.com
链接:http://www.arubanetworks.com/support/alerts/aid-12808.asc
来源:SREASON
名称:4728
链接:http://securityreason.com/securityalert/4728
来源:SECUNIA
名称:33057
链接:http://secunia.com/advisories/33057