-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Aruba Networks Security Advisory

Title: Aruba Mobility Controller Management Interface Login Pages Cross-Site Scripting
Vulnerability
Aruba Advisory ID: AID-070907b
Revision: 1.1
For Public Release on 07/09/2007

References:
	CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests
	US-CERT Advisory VU#680449

+----------------------------------------------------


SUMMARY

A cross-site scripting vulnerability was discovered during an external
security audit of the Aruba Mobility Controller.  This vulnerability affects 
customers using versions at or below 2.5.4.18, or FIPS versions at or below 
2.4.8.6-FIPS.

Certain malformed inputs to the web UI allow the injection of cross-site
scripting (XSS) components, leading to a potential compromise of client web
session integrity.


DETAILS

Aruba Mobility Controllers may present a web-based management and hospitality
(captive portal) interface.  Providing malformed input to the login CGI may
result in the presentation of that input to the user within the context of the
login page.

Malicious XSS injection via the login CGI may not require action to be taken by the 
victim.  


IMPACT

If a malicious attacker is able to reach the HTTP or HTTPS administrative login 
interface, it is possible to subvert the authentication exchange content to retrieve
administrator authentication credentials.


CVSS BASE METRIC SCORE: 4.8


WORKAROUNDS

See Solution below.


SOLUTION

Aruba Networks recommends that all customers apply the appropriate patch(es)
as soon as practicable.  However, in the event that a patch cannot be
immediately applied, the following steps will help to mitigate the risk:

 - Do NOT expose the management interface of the Aruba controller to untrusted networks or 
networks which may contain untrusted users.


OBTAINING FIXED FIRMWARES

Aruba customers can obtain the firmware on the support website:
	http://www.arubanetworks.com/support. 
   
Aruba Support contacts are as follows:

	1-800-WiFiLAN (1-800-943-4526) (toll free from within North
	America)

	+1-408-754-1200 (toll call from anywhere in the world)

	e-mail: support(at)arubanetworks.com

Please, do not contact either "wsirt(at)arubanetworks.com" or 
"security(at)arubanetworks.com" for software upgrades.


EXPLOITATION AND PUBLIC ANNOUNCEMENTS

This vulnerability will be announced at 

Aruba W.S.I.R.T. Advisory:
http://www.arubanetworks.com/support/wsirt/alerts/aid-021307b.asc

US-CERT Advisory:
http://www.kb.cert.org/vuls/id/680449


CREDIT

This vulnerability was initially reported by Adair Collins and Steve Palmer
of HostsPlus. Additional information regarding this vulnerability was 
independently reported by Jan Fry and Adrian Pastor of ProCheckUp.


STATUS OF THIS NOTICE: FINAL

Although Aruba Networks cannot guarantee the accuracy of all
statements in this advisory, all of the facts have been checked to the
best of our ability. Aruba Networks does not anticipate issuing
updated versions of this advisory unless there is some material change
in the facts. Should there be a significant change in the facts,
Aruba Networks may update this advisory.

A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain factual
errors.


DISTRIBUTION OF THIS ANNOUNCEMENT

This advisory will be posted on Aruba's website at:
http://www.arubanetworks.com/support/alerts/aid-070907b.asc


Future updates of this advisory, if any, will be placed on Aruba's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.


REVISION HISTORY

Revision 1.1 | 09-03-2007 | Updated sections DETAILS, IMPACT, CVSS BASE METRIC 
                            SCORE, SOLUTION, and CREDIT with the additional 
                            information received about this vulnerability.

Revision 1.0 | 07-09-2007 | Initial Release


ARUBA WSIRT SECURITY PROCEDURES

Complete information on reporting security vulnerabilities in Aruba 
Wireless Networks products, obtaining assistance with security incidents
is available at
      http://www.arubanetworks.com/support/wsirt.php
   
  
For reporting *NEW* Aruba Networks security issues, email can
be sent to wsirt(at)arubanetworks.com or security(at)arubanetworks.com.
For sensitive information we encourage the use of PGP encryption. Our
public keys can be found at 
	http://www.arubanetworks.com/support/wsirt.php


      (c) Copyright 2007 by Aruba Networks, Inc.
This advisory may be redistributed freely after the release date given
at the top of the text, provided that redistributed copies are complete
and unmodified, including all date and version information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG4Xbrp6KijA4qefURAtmUAKDPneF2zrjEWuYeBmCyrzVYBC30AwCg6VIF
DzAB03kUtP3S3u34dxXS5XY=
=8uq6
-----END PGP SIGNATURE-----