-----开始PGP签名消息-----哈希：SHA256 Aruba产品安全咨询===============================咨询ID：Aruba-PSA-2018-002 CVE：CVE-2017-13099出版日期：2018年3月28日状态：确认修订版：2标题===== Bleichenbacher的Oracle威胁（机器人）概述======== Aruba Instant使用的密码库提供弱Bleichenbacher Oracle，当使用RSA密钥交换机的任何TLS密码套件进行了协商时。攻击者可能能够为X.509证书恢复私钥。此漏洞被称为“机器人”。受影响的产品================= - Aruba Instant（IAP）在版本6.5.4.7之前的未受影响的产品=================== - 所有其他Aruba产品不受影响，包括交换机，软件和无线影响不受影响 - HP / HPE / Aruba校园和分支交换机不受影响 - 所有遗产HP无线产品都没有受影响的细节=======请参阅https://robotAttack.org/详细信息，包括原始研究论文。Aruba Instant（IAP）包含WOLFSSL加密库，提供某些加密功能，包括HTTPS和TLS / SSL。Wolfssl包含一个“弱”形式的机器人漏洞。研究论文描述了“弱”为“花了很长时间攻击”，尽管它没有量化这一陈述。根据Wolfssl的说法，对Wolfssl加密图书馆的测试未能在为期两周的测试之后提取单一的钥匙，该试验组成超过3000万次尝试。 Although the researcher's theory predicts that key extraction should be possible against WolfSSL, so far it has not been demonstrated to be practical. Aruba currently judges the severity of this vulnerability to be "low". Accordingly, Aruba will patch it in the next scheduled maintenance release and will not be releasing emergency patches. Resolution ========== Aruba will fix this issue in InstantOS version 6.5.4.7 and higher. Specifically, Aruba plans to: - Update WolfSSL to a non-vulnerable version - Disable static-key TLS ciphersuites so that all TLS sessions use ephemeral keys Workarounds =========== As a standard best practice, Aruba recommends that IAP administrators restrict access to the administrative HTTPS interface so that the interface is not available to untrusted users. Exploitation and Public Discussion ================================== Aruba is aware of significant public discussion of this issue. Attack tools are readily available which are effective against the "strong" form of the oracle. No attack tools are available which are effective against the "weak" form of the oracle covered by this advisory. Revision History ================ Revision 1 / 2018-Jan-30 / Initial release Revision 2 / 2018-Mar-28 / Updated fix version Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: //www.nexbus-cng.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public key can be found at: //www.nexbus-cng.com/support-services/security-bulletins/ (c) Copyright 2018 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAlq7qHIACgkQmP4JykWF htlt5wgAiI0ZHjBraNix78BV89r4GvHleWnmh90lUeyHF/jSUZUZ7uv/MTj6P+N8 IlxX9yRJwLH6CO6043f9Ah0GkTB1E0z7DSrakWWeUERJWqv35koGi3tdDfKyOf8y vLcJzWrYaJR+6jeZ6meBlwy7wDfMpYTv8FP+miU72LyuKAKmRtEFbqCTsGYs4nHa CFNX9UsIvrP82g6ZTBfDV8r0VgnBOvZ8CqCyI32x/QORdP1V6lBKpmd+g2pq9xP0 /BLWkV3+D6rd7+f7/xS0EG5HyqKyTd/NtKgukyDbCodUdkK/cry9RVAjNPYm2tZK YhNqxUa32qSvGHHk1KLKnemngHFL+w== =Ovin -----END PGP SIGNATURE-----