Aruba Mobility Controller SNMP Community String Disclosure


Product:

Aruba Mobility Controller
http://www.arubanetworks.com/products/mobility_controllers.php


Aruba mobility controller can be monitored via SNMP. It is possible to learn all configured SNMP community strings as long as at least one of them is known to the attacker. This can be accomplished by walking OID branch SNMP-COMMUNITY-MIB::snmpCommunityName (1.3.6.1.6.3.18.1.1.1.2) or SNMP-VIEW-BASED-ACM-MIB::vacmGroupName (1.3.6.1.6.3.16.1.2.1.3).

While the vulnerability is not in any way exposing the Aruba controller itself, the disclosure may lead to unauthorized access to other devices for which the attacker originally did not possess valid community strings.

Similarly it is possible to enumerate SNMPv3 users by inspecting SNMP-USER-BASED-SM-MIB or SNMP-VIEW-BASED-ACM-MIB but the passwords are not disclosed. This means that only noAuthNoPriv users represent an immediate exposure.


The vulnerability has been identified in ArubaOS version 3.3.2.6 but previous versions are also likely affected.


Solution:
Do not rely solely on SNMP community strings to separate access by different clients. Where impractical, use unique community strings for the Aruba infrastructure.


Found by:
nnposter