A Denial of Service (DoS) vulnerability was discovered during standard bug reporting procedures. A malformed 802.11 probe request frame causes a crash on the Access Point (AP) causing a temporary DoS condition for wireless clients. Prior successful security association with the wireless network is not required to cause this condition. The AP recovers automatically by restarting itself.
An 802.11 probe request frame is used by wireless clients to discover wireless networks. A malformed probe request frame may cause a crash on the Aruba APs. An attacking station does not need to have completed a successful security association prior to launching this attack since a probe request frame is an unprotected frame. This vulnerability affects all Aruba APs.
An attacker can inject a malformed probe request frame and cause an AP to crash. This causes a service outage for all clients connected to that AP. The AP recovers automatically by restarting. An attacker could however cause a prolonged DoS condition by flooding the WLAN with malicious probe request frames.
This vulnerability applies equally to both encrypted and unencrypted WLANs. This vulnerability does not affect wired devices connected the Aruba Mobility Controller.
Vulnerability #2
----------------
An EAP-TLS Dot1X wireless user authentication bypass vulnerability was discovered during standard internal bug reporting procedures in the Aruba Mobility Controller. This vulnerability only affects customers with EAP-TLS Dot1X local termination enabled on a WLAN.
Aruba Mobility Controllers allow for local termination of EAP-TLS Dot1X authentication of wireless users accessing the network and authenticating via EAP-TLS. Local Dot1X termination allows rapid deployment of WLAN without requiring an external authentication server capable of EAP-TLS authentication. A vulnerability in the EAP-TLS Dot1X termination component in the Mobility Controller may allow unauthorized network access to some wireless users.
EAP-TLS Dot1X termination is not the default setup and must be configured manually for a WLAN before it will be used. Wireless users authenticating to an external authentication server are NOT vulnerable and neither are wired users. Other WLANs on the same Mobility Controller that do not use local termination of Dot1X EAP-TLS are NOT affected by this vulnerability.
An EAP-TLS wireless user may be able to gain unauthorized access to a WLAN configured with local Dot1X termination of EAP-TLS authentications on the Aruba Mobility Controller.
Patch Availability:
Aruba Networks recommends that all customers apply the appropriate patch(es) as soon as practical.
The following patches have the fix (any newer patch will also have the fix):
Patches for 3.3.1.X and 3.3.2.X releases would be made available on request as well.
Please note: We highly recommend that you upgrade your Mobility Controller to the latest available patch on the Aruba support site corresponding to your currently installed release.
Vulnerability #2
----------------
Disable EAP-TLS Dot1X local termination for wireless users until such time as the patches can be applied and switch to using an external EAP-TLS server for authenticating wireless users. If local Dot1X termination can not be disabled, switch to using another EAP method to authenticate wireless users.
