The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

vulnerability note 20524

Aruba, Alcatel: known private key for securelogin

Synthesis of the vulnerability

An attacker can act as a Man-in-the-Middle on Aruba and Alcatel, in order to read or write data in the session.
Severity of this computer vulnerability: 3/4.
Creation date: 06/09/2016.
Références of this announce: VIGILANCE-VUL-20524.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Aruba and Alcatel-Lucent OmniAccess products use the "securelogin.arubanetworks.com" certificate, for the following features:
 - captive portal
 - web administration
 - WPA2-Enterprise 801.X authentication

However, the private key of this certificate was published.

An attacker can therefore act as a Man-in-the-Middle on Aruba and Alcatel, in order to read or write data in the session.
Full Vigil@nce bulletin... (Free trial)

This cybersecurity vulnerability impacts software or systems such as Alcatel OmniAccess Wireless Access Point, Alcatel OmniAccess Wireless LAN Switch, ArubaOS.

Our Vigil@nce team determined that the severity of this vulnerability is important.

The trust level is of type confirmed by the editor, with an origin of intranet client.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this weakness alert.

Solutions for this threat

Aruba, Alcatel: workaround for securelogin.
A workaround is to install a custom SSL certificate.
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a computer security patch. The technology watch team tracks security threats targeting the computer system. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.