Aruba Mobility Controller EAP Frame Processing Flaw Lets Remote Users Deny Service
SecurityTracker Alert ID: 1021362|
SecurityTracker URL: http://securitytracker.com/id/1021362
(Links to External Site)
Updated: Dec 17 2008|
Original Entry Date: Dec 9 2008
Denial of service via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 2.4.8.x-FIPS, 2.5.x, 3.1.x, 3.2.x, 3.3.1.x, and 3.3.2.x|
A vulnerability was reported in Aruba Mobility Controller. A remote user can cause denial of service conditions.|
A remote user can send a specially crafted Extensible Authentication Protocol (EAP) authentication frame to cause the target service to crash and then automatically restart. Clients configured to use EAP authentication will be unable to authenticate until the service restarts.
Systems operating in WPA/WPA2 Enterprise modes can be affected by remote wireless users.
WPA/WPA2-PSK modes are not affected.
Open and WEP-based wireless networks are not affected.
A remote user can prevent clients from authenticating.|
The vendor has issued a fix.|
The vendor's advisory is available at:
Vendor URL: www.arubanetworks.com/support/alerts/aid-12808.asc (Links to External Site)
Input validation error|
|Underlying OS: Windows (Any)|
Source Message Contents
Subject: DoS Vulnerability in Aruba Mobility Controller Caused by Malformed|
-----BEGIN PGP SIGNED MESSAGE-----
Aruba Networks Security Advisory
Title: DoS Vulnerability in Aruba Mobility Controller Caused by
Malformed EAP Frame.
Aruba Advisory ID: AID-12808
For Public Release on 12/8/2008
A Denial of Service (DoS) vulnerability was discovered during standard
bug reporting procedures
in the Aruba Mobility Controller. A malformed EAP frame causes a process
crash on the Aruba
Mobility Controller causing a temporary DoS condition for new clients
configured to use EAP
authentication. Prior successful security association is not required to
cause this condition.
The Mobility Controller recovers automatically by restarting the
AFFECTED ArubaOS VERSIONS
2.4.8.x-FIPS, 2.5.x, 3.1.x, 3.2.x, 3.3.1.x, and 3.3.2.x versions
Extensible Authentication Protocol (EAP) is a framework used for
authentication in wireless and
point-point connections (RFC 3748). Aruba Mobility Controller accepts
EAP frames on both wireless
interfaces (via its thin APs) and wired interfaces (via devices
connected to untrusted physical
ports on the controller). In 802.11 networks, EAP frames are only used
when WPA/WPA2 Enterprise
modes are being used.
A malformed EAP frame causes a process crash on the Aruba Mobility
Controller. An attacking station
does not need to have completed a successful security association prior
to launching this attack
against the controller.
An attacker can inject a malformed EAP frame and cause a process crash
on the Aruba Mobility
Controller. This causes a service outage for new clients configured to
use EAP authentication.
The Mobility Controller recovers automatically by restarting the
affected process. An attacker
could however cause a prolonged DoS condition by flooding the Aruba
Mobility Controller with
malicious EAP frames.
For wireless, this vulnerability only applies when operating in WPA/WPA2
WPA/WPA2-PSK modes are unaffected by this vulnerability and so are
open/WEP based wireless networks.
This vulnerability does affect wired devices connected to untrusted
physical ports of the Mobility
CVSS v2 BASE METRIC SCORE: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Aruba Networks recommends that all customers that are using EAP
authentication apply the
appropriate patch(es) as soon as practical. However, in the event that
a patch cannot
immediately be applied, the following steps might help in mitigating the
- - - Aruba Mobility Controllers allows for a mode of operation where a
EAP communication terminates on the controller, rather than on an
authentication server (RADIUS
server, LDAP server etc.). The Mobility Controller in turn queries the
authentication server on
behalf of the client using non EAP messages. This mode is referred to as
"EAP-Offload" and is
immune to this vulnerability. Enabling this mode on the Mobility
Controller can be used as a
workaround until the patch(es) can be applied. EAP-Offload is not
supported for wired client
Aruba Networks recommends that all customers apply the appropriate
patch(es) as soon as practical. However, in the event that a patch
can not immediately be applied, the workaround steps will help to mitigate
OBTAINING FIXED FIRMWARE
Aruba customers can obtain the firmware on the support website:
Aruba Support contacts are as follows:
1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)
+1-408-754-1200 (toll call from anywhere in the world)
Please, do not contact either "wsirt(at)arubanetworks.com" or
"security(at)arubanetworks.com" for software upgrades.
EXPLOITATION AND PUBLIC ANNOUNCEMENTS
This vulnerability will be announced at
Aruba W.S.I.R.T. Advisory:
STATUS OF THIS NOTICE: Final
Although Aruba Networks cannot guarantee the accuracy of all statements
in this advisory, all of the facts have been checked to the best of our
ability. Aruba Networks does not anticipate issuing updated versions of
this advisory unless there is some material change in the facts. Should
there be a significant change in the facts, Aruba Networks may update
A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an uncontrolled
copy, and may lack important information or contain factual errors.
DISTRIBUTION OF THIS ANNOUNCEMENT
This advisory will be posted on Aruba's website at:
Future updates of this advisory, if any, will be placed on Aruba's worldwide
website, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
above URL for any updates.
~ Revision 1.0 / 12-8-2008 / Initial release
ARUBA WSIRT SECURITY PROCEDURES
Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at
For reporting *NEW* Aruba Networks security issues, email can be sent to
wsirt(at)arubanetworks.com or security(at)arubanetworks.com. For sensitive
information we encourage the use of PGP encryption. Our public keys can be
~ (c) Copyright 2008 by Aruba Networks, Inc.
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----