CVE-2017-9000

Name of the Vulnerable Software and Affected Versions: ArubaOS versions prior to 6.3.1.25 ArubaOS version 6.4 prior to 6.4.4.16 ArubaOS versions 6.5.x prior to 6.5.1.9 ArubaOS version 6.5.2 ArubaOS version 6.5.3 prior to 6.5.3.3 ArubaOS version 6.5.4 prior to 6.5.4.2 ArubaOS versions 8.x prior to 8.1.0.4

Description: The issue is related to insufficient access control, allowing an unauthenticated user with network access to an Aruba mobility controller to access arbitrary files stored on the mobility controller. This can be done using TCP ports 8080 or 8081, which are used for captive portal functionality and are listening on all IP interfaces of the mobility controller by default. An attacker could access files containing passwords, keys, and other sensitive information, potentially leading to full system compromise.

Recommendations: For ArubaOS versions prior to 6.3.1.25, update to version 6.3.1.25 or later. For ArubaOS version 6.4 prior to 6.4.4.16, update to version 6.4.4.16 or later. For ArubaOS versions 6.5.x prior to 6.5.1.9, update to version 6.5.1.9 or later. For ArubaOS version 6.5.2, update to a later version. For ArubaOS version 6.5.3 prior to 6.5.3.3, update to version 6.5.3.3 or later. For ArubaOS version 6.5.4 prior to 6.5.4.2, update to version 6.5.4.2 or later. For ArubaOS versions 8.x prior to 8.1.0.4, update to version 8.1.0.4 or later. As a temporary workaround, consider restricting access to TCP ports 8080 and 8081 to minimize the risk of exploitation.