---------------哈希：sha1 - - - - - - - - - - - - - - - - - ------------------------------------ Aruba无线网络安全咨询标题：Aruba交换机很脆弱到一个pptp漏洞。ACL默认情况下，允许PPTP到Aruba Switch Aruba Advisory ID：AID-02102005修订版：1.0公共发布于20:00（GMT）参考文献：Aruba错误ID 00006264 ------------------------------------------------------------------------------------------------------摘要Aruba交换机容易受到PPTP Exploit的影响，即使设备未配置为由于缓冲区溢出而使用此VPN功能。产品和固件版本受影响的硬件：所有Aruba无线网络平台都受到影响软件：2.2.4.4之前的Aruba OS版本受影响的详细信息可能导致Aruba交换机PPTP过程中的缓冲区溢出。可能会引起开关中的影响一般不稳定性。解决方案的解决方法，用于不使用PPTP VPN的客户，解决方法是从VPnlogon会话ACL中删除PPTP服务。配置终端IP访问列表会话vpnlogon没有任何使用PPTP的客户的SVC-PPTP许可证，都没有可用的解决方法。解决方案将交换机版本升级到2.2.4.4或更高的获取固定的Firmwares Aruba客户可以在支持网站上获取固件。 Aruba Support contacts are as follows: 1-800-WiFiLAN (1-800-943-4526) (toll free from within North America) +1-408-754-1200 (toll call from anywhere in the world) e-mail: support(at)arubanetworks.com web: //www.nexbus-cng.com/support Please, do not contact either "wsirt(at)arubanetworks.com" or "security(at)arubanetworks.com" for software upgrades. EXPLOITATION AND PUBLIC ANNOUNCEMENTS This vulnerability will be announced at //www.nexbus-cng.com/support/wsirt/alerts/aid-02102005.asc STATUS OF THIS NOTICE: Final Although Aruba Wireless networks cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Aruba Wireless Networks does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Aruba Wireless Networks may update this advisory. A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. DISTRIBUTION OF THIS ANNOUCEMENT This advisory will be posted on Aruba's website at //www.nexbus-cng.com/support/wsirt/alerts/aid-02102005.asc Future updates of this advisory, if any, will be placed on Aruba's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. REVISION HISTORY Revision 1.0 /02-10-2005 / Initial release ARUBA WSIRT SECURITY PROCEDURES Complete information on reporting security vulnerabilities in Aruba Wireless Networks products, obtaining assistance with security incidents is available at //www.nexbus-cng.com/support/wsirt.php For reporting *NEW* Aruba Wireless Networks security issues, email can be sent to wsirt(at)arubanetworks.com or security(at)arubanetworks.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at //www.nexbus-cng.com/support/wsirt.php (c) Copyright 2005 by Aruba Wireless Networks, Inc. This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGeFlvp6KijA4qefURAqPpAKCHdda+uT4R+X6kHwteBS2H9SzpzQCghPdA PBGBLg6AM8xSbN+UyediSX4= =kwat -----END PGP SIGNATURE-----