Aruba Mobility Controller和Alcatel-Lucent OmniAccess Wireless管理界面堆缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1191679 漏洞类型 缓冲区溢出
发布时间 2007-02-14 更新时间 2007-08-03
CVE编号 CVE-2007-0931 CNNVD-ID CNNVD-200702-305
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://cxsecurity.com/issue/WLB-2007020047
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200702-305
|漏洞详情
(1)ArubaMobilityControllers200,800,2400,和6000版本以及(2)Alcatel-LucentOmniAccess无限43xx版本和6000版本的管理界面中存在堆缓冲区溢出。远程攻击者可以借助超长的证书字符串,造成拒绝服务(程序崩溃)并可能执行任意代码。
|漏洞EXP
n.runs AG					   
http://www.nruns.com/			               security at nruns.com
n.runs-SA-2007.002                          		        8-Feb-2007

________________________________________________________________________

Vendor:			Aruba Networks, http://www.arubanetworks.com
Affected Products:	Aruba Mobility Controllers 200, 600, 2400, 6000
				Alcatel Alcatel-Lucent OmniAccess Wireless
43xx, 6000
Vulnerability:		Aruba Mobility Controller Management Buffer Overflow

Risk:				HIGH
CERT VU ID:			VU#613833

Vendor communication:

2007/01/11			Initial notification to Aruba WSIRT
2007/01/11			Aruba WSIRT assigns contact
2007/01/11			n.runs provides crashdump to Aruba
2007/01/15			Aruba provides feedback on the vulnerability
2007/01/18			Patches available
2007/01/27			n.runs verifies patched firmware

Systems Affected:

All Aruba Networks Mobility Controllers (200, 800, 2400, and 6000) running
software versions greater than 2.0
Alcatel-Lucent OmniAccess Wireless 43xx and 6000 running software versions
2.0 and later.

Overview:

The Aruba Mobility Controller?s management interfaces are susceptible to a
heap based buffer overflow vulnerability,

Description:

Both the command line based and the web based management interface of the
Aruba Mobility Controller are vulnerable to a heap based buffer overflow
when overly long strings are passed as credentials. This can potentially
lead to remote code execution, resulting in a system compromise.

Impact:

The overflow will in any case result in memory corruption that crashes the
management interface?s process, leading to a Denial of Service (DoS)
condition of the remote management capabilities. A carefully crafted
overflow may result in code execution, allowing an attacker to fully control
the device.

Solution:

Aruba Networks has made patched firmware available to their customers, who
should be able to retrieve it through Aruba's support site
https://support.arubanetworks.com. As a workaround, restrict access to the
administrative interfaces or disable them, reverting to console-only
administration.

Credit: 	Bugs found by Jan Mnther and Maxim Salomon of n.runs AG. 
		Special thanks to Scott Kelly of Aruba Networks for the
quick and professional handling of this issue. 
____________________________________________________________________

Unaltered electronic reproduction of this advisory is permitted. For all
other 
reproduction or publication, in printing or otherwise, contact
security (at) nruns (dot) com [email concealed] for permission.
Use of the advisory constitutes acceptance for use in an "as is" condition. 
All warranties are excluded. In no event shall n.runs be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if n.runs
has been advised of the possibility of such damages.

Copyright 2007 n.runs AG. All rights reserved. Terms of use.
|参考资料

来源:US-CERT
名称:VU#319913
链接:http://www.kb.cert.org/vuls/id/319913
来源:XF
名称:aruba-management-interface-bo(32459)
链接:http://xforce.iss.net/xforce/xfdb/32459
来源:BID
名称:22538
链接:http://www.securityfocus.com/bid/22538
来源:BUGTRAQ
名称:20070213ArubaMobilityControllerManagementBufferOverflow
链接:http://www.securityfocus.com/archive/1/archive/1/459928/100/0/threaded
来源:SECUNIA
名称:24144
链接:http://secunia.com/advisories/24144
来源:OSVDB
名称:33184
链接:http://osvdb.org/33184
来源:FULLDISC
名称:20070213ArubaMobilityControllerManagementBufferOverflow
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2007-February/052380.html
来源:SREASON
名称:2244
链接:http://securityreason.com/securityalert/2244