|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
|
Aruba Networks Information for VU#654390
| Date Notified | 06/12/2004 |
| Date Modified | 07/21/2004 10:33:53 AM |
| Status Summary | Not Vulnerable |
Vendor Statement----------------------------------------------------------------------------
Aruba Wireless Networks Security Advisory
Title: ISC DHCP contains C includes that define "vsnprintf" to "vsprintf"
creating potential buffer overflow conditions
Aruba Advisory ID: AID-06152004
Revision: 1.0
For Public Release on 06/22/2004 at 19:00 (GMT)
References: CAN-2004-0461 / CERT Vulnerability Note VU#654390
----------------------------------------------------------------------------
SUMMARY
It was disclaimed by ISC, via CERT, that ISC DHCP contains C includes that
define "vsnprintf" to "vsprintf" creating potential buffer overflow conditions.
PRODUCTS AND FIRMWARE VERSIONS AFFECTED
Hardware: No Aruba Wireless Networks Platform are affected
Software: No Aruba OS available versions are affected
DETAILS
This issue could cause a stack overflow and eventual crash of the machine
running ISC's DHCPd. Although it was not clear if whether or not that overflow
could be used to execute arbitrary code, this should not cause a problem on Aruba
Wireless Networks products, since they are not affected by the packets described
in the CERT notification.
IMPACT
None.
WORKAROUNDS
There is no need for a workaround to be implemented.
SOLUTION
Aruba products were tested against this possible attack and are not vulnerable to it.
OBTAINING FIXED FIRMWARES
There is no special firmware needed to address the issue described above.
Aruba Support contacts are as follows:
1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)
+1-408-754-1200 (toll call from anywhere in the world)
e-mail: support(at)arubanetworks.com
web: http://www.arubanetworks.com/support
Please, do not contact either "wsirt(at)arubanetworks.com" or
"security(at)arubanetworks.com" for software upgrades.
EXPLOITATION AND PUBLIC ANNOUNCEMENTS
This vulnerability will be announced at
http://www.kb.cert.org/vuls
STATUS OF THIS NOTICE: Final
Although Aruba Wireless networks cannot guarantee the accuracy of all
statements in this advisory, all of the facts have been checked to the
best of our ability. Aruba Wireless Networks does not anticipate issuing
updated versions of this advisory unless there is some material change
in the facts. Should there be a significant change in the facts, Aruba
Wireless Networks may update this advisory.
A stand-alone copy or paraphrase of the text of this security
advisory that omits the distribution URL in the following section is
an uncontrolled copy, and may lack important information or contain
factual errors.
DISTRIBUTION OF THIS ANNOUCEMENT
This advisory will be posted on Aruba's website at
http://www.arubanetworks.com/support/wsirt/alerts/AID-06152004.asc
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Aruba WSIRT PGP key having the fingerprint
AB90 36CE 259C 7BA1 4FAF 62F8 3EF2 6968 39C3 A3C0 and is posted to
the following e-mail recipients.
* cert@cert.org
Future updates of this advisory, if any, will be placed on Aruba's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
REVISION HISTORY
Revision 1.0 /06-14-2004 / Initial release
ARUBA WSIRT SECURITY PROCEDURES
Complete information on reporting security vulnerabilities in Aruba
Wireless Networks products, obtaining assistance with security
incidents is available at
http://www.arubanetworks.com/support/wsirt.php
For reporting *NEW* Aruba Wireless Networks security issues, email
can be sent to wsirt(at)arubanetworks.com or security(at)arubanetworks.com.
For sensitive information we encourage the use of PGP encryption. Our
public keys can be found at http://www.arubanetworks.com/support/wsirt.php
(c) Copyright 2004 by Aruba Wireless Networks, Inc.
This advisory may be redistributed freely after the release date
given at the top of the text, provided that redistributed copies are
complete and unmodified, including all date and version information.
US-CERT AddendumThe CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
 |
