Aruba Mobility Controller SNMP Community String Disclosure

[nnposter () disclosed not]

Aruba Mobility Controller SNMP Community String Disclosure


Product:

Aruba Mobility Controller
http://www.arubanetworks.com/products/mobility_controllers.php


Aruba mobility controller can be monitored via SNMP. It is possible to learn all configured SNMP community strings as 
long as at least one of them is known to the attacker. This can be accomplished by walking OID branch 
SNMP-COMMUNITY-MIB::snmpCommunityName (1.3.6.1.6.3.18.1.1.1.2) or SNMP-VIEW-BASED-ACM-MIB::vacmGroupName 
(1.3.6.1.6.3.16.1.2.1.3).

While the vulnerability is not in any way exposing the Aruba controller itself, the disclosure may lead to unauthorized 
access to other devices for which the attacker originally did not possess valid community strings.

Similarly it is possible to enumerate SNMPv3 users by inspecting SNMP-USER-BASED-SM-MIB or SNMP-VIEW-BASED-ACM-MIB but 
the passwords are not disclosed. This means that only noAuthNoPriv users represent an immediate exposure.


The vulnerability has been identified in ArubaOS version 3.3.2.6 but previous versions are also likely affected.


Solution:
Do not rely solely on SNMP community strings to separate access by different clients. Where impractical, use unique 
community strings for the Aruba infrastructure.


Found by:
nnposter