Hewlett-Packard Enterprise subsidiary Aruba Networks has ‘fessed up to “multiple vulnerabilities” in its networking software which could be used to compromise devices under “certain circumstances”. The vulnerabilities have now been fixed, and an update will be issued later this year, the company said.

Aruba Networks said the vulnerabilities were first discovered by Google Security Team researcher Sven Blumenstein, and affect the company’s ArubaOS, AirWave Management Platform (AMP), and Aruba Instant (IAP). In total, the company reported 26 separate issues with its software via an advisory, including information disclosure, remote code execution, insecure storage of user’s credentials and private keys, and an insecure update mechanism. Still, Aruba has reported them all under just a couple of CVE-tracking IDs: CVE-2016-2031 and CVE-2016-2032.

Aruba says that the issues all stem from design flaws in a proprietary management and control protocol known as “PAPI”.

“The PAPI protocol contains a number of unremediated flaws, including: MD5 message digests are not properly validated upon receipt, PAPI encryption protocol is weak; all Aruba devices use a common static key for message validation,” the company wrote in an advisory.

How badly Aruba’s customers could be impacted will depend on their exact network configuration, the company said. Aruba said it plans to fix the flaws in Aruba Instant and AirWave “later this year”, without giving an exact date, which is not completely reassuring.

What Aruba did say was that the update, when it comes, will ensure PAPI only operates in a secure channel like DTLS or IPsec. As a temporary fix, Aruba says customers should read the recommendations in its “Control Plane Security Best Practices” and apply these.

Aruba has already issued patches for most of the other flaws in updates IAP 4.1.3.0 and 4.2.3.1, and AMP 8.2.0. Aruba also noted that there are two more security issues that it doesn’t consider to be “vulnerabilities” as such. However, the company said it will nonetheless fix them are they’re not in line with its “best practices”. One of these problems has to do with the use of a static password for an engineering support mode that gives extra diagnostic and configuration capabilities, which could cause physical damage to the AP hardware if misused. However, this mode can only be accessed from an authenticated administrative session, which means hackers would already need access to the network before they can carry out any attack.

The second issue regards the use of a static key to encrypt all IAP configuration files passwords. Should this file be stolen, attackers might be able to reverse engineer the platform’s code and decrypt the passwords.

Photo Credit: BobMical via Compfight cc