[NEWS]Aruba Mobility Controller Shared Default Certificate



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Aruba Mobility Controller Shared Default Certificate
------------------------------------------------------------------------


SUMMARY

<http://www.arubanetworks.com/products/mobility_controllers.php> Aruba
"mobility controllers use X.509 certificates to protect access to the web
management interface and to provide secure wireless authentication, such
as TLS, TTLS, PEAP, and Aruba-specific Captive Portal. By default the
controller uses a built-in certificate that is shared by all deployed
units across all customers. Administrators are not forced to generate new,
implementation-specific key pairs to replace this shared one".

The default private key used by Aruba Mobility Controller is not protected
in any particular way it is possible for a party with access to one of the
controllers to retrieve the private key and abuse it to compromise other
implementations.

The latest such certificate is serial number 386929 issued by Equifax
Secure Certificate Authority, expiring Jun 30, 2011.

DETAILS

Vulnerable Systems:
* ArubaOS version 3.3.1.16

Vendor response:
From: Robbie (Rupinder) Gill rgill[at]arubanetworks.com
The certificate referenced in this posting is for demonstration purposes
*only*, and this is clearly indicated in Aruba's documentation:

"A server certificate installed in the controller verifies the
authenticity of the controller for 802.1x authentication. Aruba
controllers ship with a demonstration digital certificate. Until you
install a customer-specific server certificate in the controller, this
demonstration certificate is used by default for all secure HTTP
connections (such as the WebUI and captive portal) and AAA FastConnect.

~ This certificate is included primarily for the purposes of feature
demonstration and convenience and is not intended for long-term use in
production networks. Users in a production environment are urged to obtain
and install a certificate issued for their site or domain by a well-known
certificate authority (CA). You can generate a Certificate Signing Request
(CSR) on the controller to submit to a CA. For information on how to
generate a CSR and how to import the CA-signed certificate into the
controller, see "Managing Certificates" on page 517 in Chapter 19,
"Configuring Management Access"."

The Aruba OS User Guides containing the above text and further details on
certificate management are available from Aruba's support site at
<https://support.arubanetworks.com/> https://support.arubanetworks.com/.


ADDITIONAL INFORMATION

The information has been provided by <mailto:nnposter@xxxxxxxxxxxxx>
nnposter.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • Re: Aruba Mobility Controller Shared Default Certificate - Response from Aruba Networks
    ... The certificate referenced in this posting is for demonstration purposes ... "A server certificate installed in the controller verifies the ... install a customer-specific server certificate in the controller, ... Aruba Mobility Controller Shared Default Certificate ...
    (Bugtraq)
  • Issuing Domain Controller certificates manually
    ... Microsoft CA doesn't allow enrollment of Domain ... Controller or Computer certificates through web page. ... auto enrollment, certificate ... >template) could also be used with an more manual issuing ...
    (microsoft.public.win2000.security)
  • Re: Certificate disappears after a few hours?
    ... This is very similar to my problem, except for older versions (IAS on Server 2003). ... However, none of these are accepted as EAP certificate in the NPS policy, but if I add the "Domain Controller" certificate everything works as expected. ...
    (microsoft.public.windows.server.security)
  • Certificate Template Creation
    ... Certificate Authority. ... This server is Standard edition. ... "Automatic certificate enrollment for local system failed to enroll for one ... Domain Controller certificate. ...
    (microsoft.public.windows.server.general)
  • [UNIX] Peer Authentication Vulnerability In Ingate Products (SIP Over TLS - X.509)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... attacker to intercept connections to TLS-secured servers that the Ingate ... The vulnerability is only exploitable if an X.509 certificate uses an RSA ... itself, but if an external CA is used, and if that CA uses exponent 3, the ...
    (Securiteam)