[NEWS]Aruba Mobility Controller Shared Default Certificate
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 4 Oct 2008 18:20:46 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Aruba Mobility Controller Shared Default Certificate
------------------------------------------------------------------------
SUMMARY
<http://www.arubanetworks.com/products/mobility_controllers.php> Aruba
"mobility controllers use X.509 certificates to protect access to the web
management interface and to provide secure wireless authentication, such
as TLS, TTLS, PEAP, and Aruba-specific Captive Portal. By default the
controller uses a built-in certificate that is shared by all deployed
units across all customers. Administrators are not forced to generate new,
implementation-specific key pairs to replace this shared one".
The default private key used by Aruba Mobility Controller is not protected
in any particular way it is possible for a party with access to one of the
controllers to retrieve the private key and abuse it to compromise other
implementations.
The latest such certificate is serial number 386929 issued by Equifax
Secure Certificate Authority, expiring Jun 30, 2011.
DETAILS
Vulnerable Systems:
* ArubaOS version 3.3.1.16
Vendor response:
From: Robbie (Rupinder) Gill rgill[at]arubanetworks.com
The certificate referenced in this posting is for demonstration purposes
*only*, and this is clearly indicated in Aruba's documentation:
"A server certificate installed in the controller verifies the
authenticity of the controller for 802.1x authentication. Aruba
controllers ship with a demonstration digital certificate. Until you
install a customer-specific server certificate in the controller, this
demonstration certificate is used by default for all secure HTTP
connections (such as the WebUI and captive portal) and AAA FastConnect.
~ This certificate is included primarily for the purposes of feature
demonstration and convenience and is not intended for long-term use in
production networks. Users in a production environment are urged to obtain
and install a certificate issued for their site or domain by a well-known
certificate authority (CA). You can generate a Certificate Signing Request
(CSR) on the controller to submit to a CA. For information on how to
generate a CSR and how to import the CA-signed certificate into the
controller, see "Managing Certificates" on page 517 in Chapter 19,
"Configuring Management Access"."
The Aruba OS User Guides containing the above text and further details on
certificate management are available from Aruba's support site at
<https://support.arubanetworks.com/> https://support.arubanetworks.com/.
ADDITIONAL INFORMATION
The information has been provided by <mailto:nnposter@xxxxxxxxxxxxx>
nnposter.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [EXPL]Postfix Local Denial of Service (PIPE, Exploit)
- Next by Date: [EXPL]Debian Sarge Multiple IMAP Server DoS (debianimapers.c)
- Previous by thread: [EXPL]Postfix Local Denial of Service (PIPE, Exploit)
- Next by thread: [EXPL]Debian Sarge Multiple IMAP Server DoS (debianimapers.c)
- Index(es):
Relevant Pages
|
