Yesterday Aruba Networks announced a vulnerability regarding the PAPI protocol used in some products. For more information on how to remain protected, contact Advanticom. 412-385-5000
Details from Aruba below:
This advisory is a reminder to customers that the PAPI protocol is not a secure protocol.
Although this information was previously disclosed, an impending public disclosure by the Google Security Team (focused on Aruba Instant) will call out the vulnerable details of this protocol and bring it to the attention of the attacker community.
Affected Products: ArubaOS (All Versions)
The PAPI protocol is used by Aruba products, including ArubaOS, for a number of management and control functions. By default, ArubaOS uses PAPI encapsulated inside IPsec for the majority of these functions – a feature called “CPsec” or “Control Plane Security”. Some use of PAPI is still unprotected, however. In addition, some customers choose to disable CPsec, since it is a configurable feature.
The PAPI protocol contains a number of unremediated flaws, including:
- MD5 message digests are not properly validated upon receipt
- PAPI encrpytion protocol is weak
– All Aruba devices use a common static key for message validation A companion document entitled “Control Plane Security Best Practices” has been published, and contains a complete explanation of how PAPI is used and the potential risks it exposes. The latest update to this document is posted on http://support.arubanetworks.com under the Announcements tab (login is required).
Please see the companion document “Control Plane Security Best Practices”, which is posted on http://support.arubanetworks.com under the Announcements tab (login is required). This document contains full details. Depending on network configuration and risk tolerance, no action may be required.”