|The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.|
Aruba, Alcatel: known private key for securelogin
Synthesis of the vulnerability
An attacker can act as a Man-in-the-Middle on Aruba and Alcatel, in order to read or write data in the session.
Impacted software: Alcatel OmniAccess Wireless Access Point, Alcatel OmniAccess Wireless LAN Switch, ArubaOS.
Severity of this computer vulnerability: 3/4.
Consequences of an attack: user access/rights, data reading, data creation/edition.
Attacker's origin: intranet client.
Creation date: 06/09/2016.
Références of this announce: VIGILANCE-VUL-20524.
Description of the vulnerability
The Aruba and Alcatel-Lucent OmniAccess products use the "securelogin.arubanetworks.com" certificate, for the following features:
- captive portal
- web administration
- WPA2-Enterprise 801.X authentication
However, the private key of this certificate was published.
An attacker can therefore act as a Man-in-the-Middle on Aruba and Alcatel, in order to read or write data in the session.
Full Vigil@nce bulletin... (Free trial)
Computer vulnerabilities tracking service
Vigil@nce provides applications vulnerabilities bulletins. The technology watch team tracks security threats targeting the computer system. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.