-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba产品安全咨询===============================咨询ID: Aruba - psa -2015-010 CVE: CVE-2015-7704、CVE-2015-7705、CVE-2015-7852、CVE-2015-7871发布日期:2015- 11月30日状态:已确认版本:1标题===== Network Time Protocol Daemon (NTPD) Multiple vulnerability Overview ======== NTP Project (www.ntp.org)于2015年10月21日宣布NTPD存在多个漏洞。详细信息请参见http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner。多个Aruba产品包含ntpd，并容易受到已公布漏洞的子集的攻击。受影响的产品=================—ClearPass至，但不包括，6.5.5—ArubaOS 6.3至，但不包括，6.3.1.20—ArubaOS 6.4至，但不包括，6.4.2.14,6.4.3.6和6.4.4.3—ArubaOS 7。===================—AirWave—Aruba Instant—Aruba Central—VIA—Meridian Details =======—ClearPass易受CVE-2015-7704和CVE-2015-7705攻击。这可能允许攻击者通过使ClearPass停止或延迟通过NTP更新时钟来降低时钟的准确性。——ArubaOS 6.3和6.4容易受到CVE-2015-7704和CVE-2015-7705的攻击。这可能会让攻击者通过停止或延迟NTP更新时钟来降低时钟精度。此外，ArubaOS 6.4易受CVE-2015-7871 (NAK to the Future)攻击。 This is the most serious of the vulnerabilities, and could allow an attacker to control the clock on a device running ArubaOS 6.4. Workarounds =========== The following workarounds limit the exposure of this vulnerability to nearly zero: -- Restrict access to NTP servers by ensuring that systems communicate only with specific, trusted NTP upstream servers. -- Do not allow untrusted systems to access Aruba components on UDP port 123. Aruba systems operate as NTP clients and will always establish connections outbound to upstream NTP servers. There is no need for external systems to initiate contact with an Aruba component. Note: In a multi-node ClearPass deployment, a ClearPass publisher does act as an NTP server for ClearPass subscriber nodes, so firewall rules would need to be adjusted accordingly. -- For ArubaOS 6.4, use Service ACLs to permit inbound NTP traffic only from trusted sources. Resolution ========== The vulnerability will be addressed in the following versions: -- ClearPass: 6.5.5, expected early January -- ArubaOS: 6.3.1.20, 6.4.2.14, 6.4.3.6, 6.4.4.3 (bug 127194) Obtaining Fixed Software ======================== Aruba customers can obtain software updates on the support website: http://support.arubanetworks.com Aruba Support contacts are as follows: +1-800-WiFiLAN (1-800-943-4526) (toll free from within North America) +1-408-754-1200 (toll call from anywhere in the world) The full contact list is at: //www.nexbus-cng.com/support-services/support-program/contact-support/ e-mail: support(at)arubanetworks.com Please do not contact "sirt(at)arubanetworks.com" for software upgrades. Revision History ================ Revision 1.0 / 2015-Nov-30 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: //www.nexbus-cng.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to sirt(at)arubanetworks.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: //www.nexbus-cng.com/support-services/security-bulletins/ (c) Copyright 2015 by Aruba, a Hewlett Packard Enterprise company This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWW3ShAAoJEJj+CcpFhYbZ94YH/0/hKBXXrxsxbM5heK7BYw8c zPF7dOlwdrkhPtM9lArmHzIgpgbYqDTdmeq6Bp18nzanyI3dcG1J+ig1G4bc/diz tT2t0Lmi/Tyh+UaJCFb2pRDbxRYOONZKd1+xM4hSEm2C/Bwr57K3jYJ1VIxp9oT5 w0TgvjH2QHTQwqj92mzQxBlFo02BCB845jxKh4xiOAH8lNcC0PEXD/bn9JCPa7et 39Edazyi+37FN5+aPsP1RGI2s94vLUu05Y5YjXxIneBQqinyeZzcBhmH68TBOB/y jgnlOMxNDAtOOZLjudlVty6FxDiaRNas0N3uwyFRNRUwu7OWWnZUU96FPLaAoR0= =MLNQ -----END PGP SIGNATURE-----