search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Aruba Mobility Controller Management Interface contains a buffer overflow

Vulnerability Note VU#319913

Original Release Date: 2007-02-13 | Last Revised: 2007-02-13

Overview

The Aruba Mobility Controller Management Interface contains a buffer overflow. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable system.

Description

The Aruba Mobility Controllers are used to process and control network traffic in a wireless network. The Aruba Mobility Controller Management Interface is a utility used to configure and manage the Aruba Mobility Controllers. The management interface can be accessed via a command line or a web-based interface.

The Aruba Mobility Controller Management Interface fails to properly handle malformed input allowing a buffer overflow to occur. If the Aruba Mobility Controller Management Interface is configured for remote management, this vulnerability can be triggered remotely.

According to Aruba Networks this vulnerability affects Aruba Networks Mobility Controllers (200, 800, 2400, and 6000) running software versions 2.0 and later and Alcatel-Lucent OmniAccess Wireless 43xx and 6000 running software versions 2.0 and later.

Impact

A remote attacker may be able to execute arbitrary code on the affected Mobility Controller.

Solution

Apply a patch from Aruba
Aruba has released a patch to address this vulnerability. For more information refer to the Systems Affected section of this document.


Restrict access

You may wish to block access to the vulnerable software from outside your network perimeter, specifically by blocking access to Aruba Mobility Controller Management Interface web site as well as the device itself. This will limit your exposure to attacks.

Vendor Information

319913
 
Expand all

Aruba Networks, Inc. Affected

Notified:  February 09, 2007 Updated: February 13, 2007

Status

Affected

Vendor Statement

Aruba Networks is committed to continuously enhancing our security posture, and we have both internal and external resources involved in security review processes aimed at identifying product vulnerabilities, both in existing and in developing products.

It is important to note that there have been no reports of compromise due to this vulnerability. Aruba Networks' primary concern in this instance is to rapidly deploy a solution for our entire customer base. As a result, Aruba has released patches for the most prevalent code versions.

We highly recommend that you upgrade your Mobility Controller to a patch corresponding to your currently installed release. While we encourage customers to always utilize the latest releases to ensure the full benefit of our continued innovation and improvements, we recognize that this is not always possible. Therefore, all releases of code incorporating this fix are immediately available for download at https://support.arubanetworks.com

If you do not have an ArubaCare contract, you should contact your local reseller for assistance.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was reported by Aruba Networks.

This document was written by Jeff Gennari.

Other Information

CVE IDs: None
Severity Metric: 6.42
Date Public: 2007-02-12
Date First Published: 2007-02-13
Date Last Updated: 2007-02-13 19:59 UTC
Document Revision: 13

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis