Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:20571
HistorySep 24, 2008 - 12:00 a.m.

Aruba Mobility Controller Shared Default Certificate

2008-09-2400:00:00
vulners.com
19
JSON

Aruba Mobility Controller Shared Default Certificate

Product:

Aruba Mobility Controller
http://www.arubanetworks.com/products/mobility_controllers.php

Aruba mobility controllers use X.509 certificates to protect access to the web management interface
and to provide secure wireless authentication, such as TLS, TTLS, PEAP, and Aruba-specific Captive
Portal. By default the controller uses a built-in certificate that is shared by all deployed units
across all customers. Administrators are not forced to generate new, implementation-specific key pairs
to replace this shared one.

Since the corresponding private key is not protected in any particular way it is possible for a party
with access to one of the controllers to retrieve the private key and abuse it to compromise other
implementations.

The latest such certificate is serial number 386929 issued by Equifax Secure Certificate Authority,
expiring Jun 30, 2011.

The vulnerability has been identified in ArubaOS version 3.3.1.16 but all previous versions are also
likely affected.

Solution:
Replace the default certificate with a new key pair that is unique for the implementation.

Found by:
nnposter

JSON