Re: Aruba Mobility Controller Shared Default Certificate - Response from Aruba Networks

["Robbie (Rupinder) Gill" <rgill () arubanetworks com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The certificate referenced in this posting is for demonstration purposes
*only*, and this is clearly indicated in Aruba's documentation:

"A server certificate installed in the controller verifies the
authenticity of the controller for 802.1x authentication. Aruba
controllers ship with a demonstration digital certificate. Until  you
install a customer-specific server certificate in the controller,  this
demonstration certificate is used by default for all secure HTTP
connections (such as the WebUI and captive portal) and AAA FastConnect.

~ This certificate is included primarily for the purposes of feature
demonstration and convenience and is not intended for long-term use in
production networks. Users in a production environment are urged to
obtain and install a certificate issued for their site or domain by a
well-known certificate authority (CA). You can generate a Certificate
Signing Request (CSR) on the controller to submit to a CA. For
information  on how to generate a CSR and how to import the CA-signed
certificate into  the controller, see "Managing Certificates" on page
517 in Chapter 19,  "Configuring Management Access"."

The Aruba OS User Guides containing the above text and further details
on certificate management are available from Aruba's support site at
https://support.arubanetworks.com/.


Aruba Networks was not notified prior to the public disclosure of this
notice. Aruba Networks welcomes the opportunity to work
with security researchers and assist in product reports in accordance
with our security incident response policy available at
http://www.arubanetworks.com/support/wsirt.php.


If you are an Aruba customer and have any questions about this issue,
please contact Aruba support at support () arubanetworks com.


- ---------------------------------
Aruba Threat Labs
Aruba Networks, Sunnnyvale, CA
- ----------------------------------

- -------- Original Message --------
| Subject: Aruba Mobility Controller Shared Default Certificate
| Date: 23 Sep 2008 03:51:58 -0000
| From: nnposter () disclosed not
| To: bugtraq () securityfocus com
|
| Aruba Mobility Controller Shared Default Certificate
|
| Product:
|
| Aruba Mobility Controller
|
| http://www.arubanetworks.com/products/mobility_controllers.php
|
| Aruba mobility controllers use X.509 certificates to protect
| access to
| the web management interface and to provide secure wireless
| authentication, such as TLS, TTLS, PEAP, and Aruba-specific Captive
| Portal. By default the controller uses a built-in certificate that is
| shared by all deployed units across all customers. Administrators are
| not forced to generate new, implementation-specific key pairs
| to replace
| this shared one.
|
| Since the corresponding private key is not protected in any
| particular
| way it is possible for a party with access to one of the
| controllers to
| retrieve the private key and abuse it to compromise other
| implementations.
|
| The latest such certificate is serial number 386929 issued by Equifax
| Secure Certificate Authority, expiring Jun 30, 2011.
|
| The vulnerability has been identified in ArubaOS version 3.3.1.16 but
| all previous versions are also likely affected.
|
| Solution:
|
| Replace the default certificate with a new key pair that is
| unique for
| the implementation.
|
| Found by:
|
| nnposter
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjZPKoACgkQp6KijA4qefW9aQCcDHKpwHpqyu5MFE5cBug7+JFv
Y3cAnR3tA4mXxdsgFbnw2J/lOphUpS6T
=QedL
-----END PGP SIGNATURE-----