Yesterday Aruba Networks announced a vulnerability regarding the PAPI protocol used in some products.  For more information on how to remain protected, contact Advanticom.  412-385-5000

Details from Aruba below:


This advisory is a reminder to customers that the PAPI protocol is not a secure protocol.

Although this information was previously disclosed, an impending public disclosure by the Google Security Team (focused on Aruba Instant) will call out the vulnerable details of this protocol and bring it to the attention of the attacker community.

Affected Products:  ArubaOS (All Versions)


The PAPI protocol is used by Aruba products, including ArubaOS, for a number of management  and control functions.  By default, ArubaOS uses PAPI encapsulated inside IPsec for the majority of  these functions – a feature called “CPsec” or “Control Plane Security”.  Some use of PAPI is  still unprotected, however.  In addition, some customers choose to disable CPsec, since it is  a configurable feature.

The PAPI protocol contains a number of unremediated flaws, including:

  •  MD5 message digests are not properly validated upon receipt
  •  PAPI encrpytion protocol is weak

– All Aruba devices use a common static key for message validation  A companion document entitled “Control Plane Security Best Practices” has been published, and  contains a complete explanation of how PAPI is used and the potential risks it exposes. The  latest update to this document is posted on http://support.arubanetworks.com under the  Announcements tab (login is required).


Please see the companion document “Control Plane Security Best Practices”, which is posted on http://support.arubanetworks.com under the Announcements tab (login is required).  This document contains full details.  Depending on network configuration and risk tolerance, no action may be required.”