-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2016-006 CVE: N/A Publication Date: 2016-May-04 Status: Confirmed Revision: 1 Title ===== ArubaOS PAPI Vulnerabilities Overview ======== This advisory is a reminder to customers that the PAPI protocol is not a secure protocol. Although this information was previously disclosed, an impending public disclosure by the Google Security Team (focused on Aruba Instant) will call out the vulnerable details of this protocol and bring it to the attention of the attacker community. Affected Products ================= -- ArubaOS (all versions) Details ======= PAPI protocol is not secure =========================== The PAPI protocol is used by Aruba products, including ArubaOS, for a number of management and control functions. By default, ArubaOS uses PAPI encapsulated inside IPsec for the majority of these functions - a feature called "CPsec" or "Control Plane Security". Some use of PAPI is still unprotected, however. In addition, some customers choose to disable CPsec, since it is a configurable feature. The PAPI protocol contains a number of unremediated flaws, including: - MD5 message digests are not properly validated upon receipt - PAPI encrpytion protocol is weak - All Aruba devices use a common static key for message validation A companion document entitled "Control Plane Security Best Practices" has been published, and contains a complete explanation of how PAPI is used and the potential risks it exposes. The latest update to this document is posted on http://support.arubanetworks.com under the Announcements tab (login is required). Resolution ========== Please see the companion document "Control Plane Security Best Practices", which is posted on http://support.arubanetworks.com under the Announcements tab (login is required). This document contains full details. Depending on network configuration and risk tolerance, no action may be required. Revision History ================ Revision 1 / 2016-May-04 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to sirt(at)arubanetworks.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2016 by Aruba, a Hewlett Packard Enterprise company This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXKhZkAAoJEJj+CcpFhYbZyssIAI0Ywfn121BqadMJOXkf+1yp hxnqCPNt2LpMQywR6KV1hP081bKoCyqEGQrCr9SjhClFc7peRXbbOAX4btI0FeRA Cdaq2G/IJZCHawt720RpwjUp2i0H33t/MTfvlEFgVeA3elznbjPd2ehWraYPhxvx GZOHI5HOD//u6WfbZprt3lh9BAP1Schw4HhaJQRBeEm8R1jlVKTjJoIbBJ8VDWeW FnVc/WbOVKxQ/7p64dxYIqwdoY4U1HlOJZ7P98NGX5hqNjPCKTI6+bngV3K8a2JB QtV+zUva5eb3wK+VLMeS0fhJZflt/nhdIfVVG/BVU9GdtZs5pLU7G8mdK+yeaxs= =HdJs -----END PGP SIGNATURE-----