Aruba AirWave admin? Get the latest patch

Aruba AirWave systems need patching against multiple bugs in their control interface.

Posted to Full Disclosure by SEC Consult, there are two problems with the kit: an XML External Entity Injection attack; and a reflected cross-site scripting (XSS) attack.

Both can be exploited remotely.

In CVE-2016-8526, the XML parser used by the AirWave control panel resolves external XML entities, so an attacker can read files and port-scan the internal network by sending commands to the parser.

The advisory adds that files on the AirWave are encrypted using a shared static key, meaning privilege escalation is also feasible.

The second bug, CVE-2016-8527, allows reflected XSS. “Due to the lack of input validation, an attacker can insert malicious JavaScript code to be executed under a victim's browser context”, the advisory says (with proof-of-concept).

The bugs are fixed in Aruba AirWave 8.2.3.1, released in late February. ®