-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The certificate referenced in this posting is for demonstration purposes *only*, and this is clearly indicated in Aruba's documentation: "A server certificate installed in the controller verifies the authenticity of the controller for 802.1x authentication. Aruba controllers ship with a demonstration digital certificate. Until you install a customer-specific server certificate in the controller, this demonstration certificate is used by default for all secure HTTP connections (such as the WebUI and captive portal) and AAA FastConnect. ~ This certificate is included primarily for the purposes of feature demonstration and convenience and is not intended for long-term use in production networks. Users in a production environment are urged to obtain and install a certificate issued for their site or domain by a well-known certificate authority (CA). You can generate a Certificate Signing Request (CSR) on the controller to submit to a CA. For information on how to generate a CSR and how to import the CA-signed certificate into the controller, see "Managing Certificates" on page 517 in Chapter 19, "Configuring Management Access"." The Aruba OS User Guides containing the above text and further details on certificate management are available from Aruba's support site at https://support.arubanetworks.com/. Aruba Networks was not notified prior to the public disclosure of this notice. Aruba Networks welcomes the opportunity to work with security researchers and assist in product reports in accordance with our security incident response policy available at http://www.arubanetworks.com/support/wsirt.php. If you are an Aruba customer and have any questions about this issue, please contact Aruba support at support@xxxxxxxxxxxxxxxxxx - --------------------------------- Aruba Threat Labs Aruba Networks, Sunnnyvale, CA - ---------------------------------- - -------- Original Message -------- | Subject: Aruba Mobility Controller Shared Default Certificate | Date: 23 Sep 2008 03:51:58 -0000 | From: nnposter@xxxxxxxxxxxxx | To: bugtraq@xxxxxxxxxxxxxxxxx | | Aruba Mobility Controller Shared Default Certificate | | Product: | | Aruba Mobility Controller | | http://www.arubanetworks.com/products/mobility_controllers.php | | Aruba mobility controllers use X.509 certificates to protect | access to | the web management interface and to provide secure wireless | authentication, such as TLS, TTLS, PEAP, and Aruba-specific Captive | Portal. By default the controller uses a built-in certificate that is | shared by all deployed units across all customers. Administrators are | not forced to generate new, implementation-specific key pairs | to replace | this shared one. | | Since the corresponding private key is not protected in any | particular | way it is possible for a party with access to one of the | controllers to | retrieve the private key and abuse it to compromise other | implementations. | | The latest such certificate is serial number 386929 issued by Equifax | Secure Certificate Authority, expiring Jun 30, 2011. | | The vulnerability has been identified in ArubaOS version 3.3.1.16 but | all previous versions are also likely affected. | | Solution: | | Replace the default certificate with a new key pair that is | unique for | the implementation. | | Found by: | | nnposter | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkjZPKoACgkQp6KijA4qefW9aQCcDHKpwHpqyu5MFE5cBug7+JFv Y3cAnR3tA4mXxdsgFbnw2J/lOphUpS6T =QedL -----END PGP SIGNATURE-----
